Types of Privacy

1. Decisional Privacy:

o Definition: This type of privacy protects an individual's right to make personal decisions
without interference. It safeguards personal autonomy, especially regarding significant
matters like health, family, or life choices.

o Example: Imagine a person deciding whether or not to undergo a medical procedure.

This decision is personal and must be free from external pressures or interference. The
right to make such a decision without outside influence is part of decisional privacy.

2. Informational Privacy:

o Definition: This type of privacy refers to the control over one's personal information—
how it is collected, used, and shared. It is a key aspect of data protection, preventing
unauthorized access or disclosure of personal data.

o Example: An individual’s credit card information stored by an online store is protected by

informational privacy. The store must ensure that the information is not shared or
accessed by third parties without the individual's consent.

Data Privacy (Informational Privacy) and the Data Privacy Act of 2012 (DPA)

 Data Privacy: This is primarily concerned with the protection of personal information from
unauthorized access, collection, use, and sharing. In the Philippines, R.A. No. 10173 (Data
Privacy Act of 2012) ensures that personal data is handled in compliance with standards for
privacy protection.

o Example: If a hospital collects personal health data from patients, it must ensure the
confidentiality of that information, not share it with third parties without consent, and
only use it for the intended purpose (e.g., providing medical treatment).

 Disclosure of Case Details: According to the DPA, disclosing the details of a legal case does not
violate the law as long as no personal or sensitive information is shared. However, lawyers must
still be cautious, as sharing confidential client information may violate the lawyer-client
confidentiality rule, even if it does not breach data privacy laws.

Personal information, data subject, National Privacy Commission, sensitive personal information,
required parties to comply with the rules, data sharing, data privacy principles, sub-contracting and
outsourcing, data privacy accountability, rights of data subject, Personal information controller, personal
information processor, penalties for violation of DPA

1. Personal Information

 Definition: Personal information refers to any data that can identify an individual directly or
indirectly. This could include a person’s name, address, contact details, and identification
numbers.

 Example: An email address such as "johndoe@gmail.com" is considered personal information

because it can be linked to a specific person.

 Legal Basis: Section 3(g) of the Data Privacy Act of 2012 (DPA) defines personal information as
any information from which the identity of an individual can be reasonably and directly
ascertained.

2. Data Subject

 Definition: A data subject is the individual whose personal information is processed. The DPA
aims to protect the privacy and personal data of the data subject.

 Example: When a customer signs up for a service and provides personal details, they become
the data subject whose information must be protected.

 Legal Basis: Section 3(c) of the DPA identifies a data subject as the individual from whom
personal data is collected and processed.

3. National Privacy Commission (NPC)

 Definition: The NPC is the government agency responsible for enforcing the Data Privacy Act,
ensuring compliance, and monitoring data protection activities.

 Example: If a company mishandles personal data, the NPC can investigate and issue fines or
penalties.

 Legal Basis: Section 7 of the DPA establishes the NPC to administer and implement the
provisions of the Act.

4. Sensitive Personal Information

 Definition: Sensitive personal information includes data that involves race, ethnic origin, marital
status, health, education, political affiliations, and other sensitive topics.

 Example: A person’s medical records or biometric data fall under sensitive personal information.

 Legal Basis: Section 3(l) of the DPA provides a detailed list of what constitutes sensitive personal
information, giving it a higher level of protection.

5. Required Parties to Comply with the Rules

  Definition: Personal Information Controllers (PICs) and Personal Information Processors (PIPs)
are required to comply with the rules of data processing under the DPA.

 Example: Hospitals, schools, law firms, and businesses that process personal data must comply
with data privacy rules.

 Legal Basis: Section 3(h) (PIC) and Section 3(i) (PIP) of the DPA define these roles and their
responsibilities.

6. Data Sharing

 Definition: Data sharing refers to the transfer of personal data from one organization to another
for legitimate purposes.

 Example: A bank sharing a customer's financial information with a credit reporting agency is an
example of data sharing, provided the customer has given consent.

 Legal Basis: Section 20 of the DPA allows for data sharing under certain conditions, including
consent from the data subject and compliance with privacy principles.

7. Data Privacy Principles

 Definition: These are the principles that guide the processing of personal data, including
transparency, legitimate purpose, and proportionality.

 Example: A company collecting personal data should clearly inform the data subject about how
the data will be used (transparency) and ensure the data is used only for legitimate business
purposes.

 Legal Basis: Sections 11 and 12 of the DPA outline the principles of data processing, including
ensuring that personal data is collected and processed lawfully, fairly, and in a transparent
manner.

The Data Privacy Act (DPA) of the Philippines outlines key principles that must be adhered to when
processing personal information. These principles ensure that personal data is collected, processed, and
stored in a way that respects the rights of individuals and complies with legal requirements. The
processing of personal information is allowed as long as it follows these principles, complies with the
DPA, and adheres to other relevant laws that allow the disclosure of information.

1. Transparency

 Explanation: The data subject (individual whose data is being processed) must be informed
about the nature, purpose, and extent of the processing of their personal data. This includes
being made aware of any risks, safeguards in place, the identity of the personal information
controller (PIC), and the rights of the data subject. The information should be provided in clear
and understandable language.

 Example: When a company collects customer data, it should clearly explain through a privacy
notice how the data will be used, who will have access to it, and what rights the customer has
regarding their data.
  Legal Basis: Section 17(a) of the DPA Implementing Rules and Regulations (IRR).

2. Legitimate Purpose

 Explanation: Personal information must only be processed for purposes that are compatible
with the declared, specified, and legitimate purpose at the time of collection. The purpose must
not violate any law, morals, or public policy.

 Example: A school collecting student information for educational purposes cannot use the same
data for marketing purposes without obtaining additional consent.

 Legal Basis: Section 17(b) of the DPA IRR.

3. Proportionality

 Explanation: The data collected should be adequate, relevant, and necessary for the purpose it
was collected for. The processing should not be excessive or more intrusive than required to
achieve the intended purpose.

 Example: A company that collects only the necessary personal information (like name and
contact details) to process a purchase rather than collecting excessive details like marital status
or religion.

 Legal Basis: Section 17(c) of the DPA IRR.

4. Personal Data Processing Requirements

The DPA also sets out specific requirements for the processing of personal data, ensuring that it is:

a. Collected for Specified and Legitimate Purposes

 Personal data must be collected for legitimate purposes that are declared to the data subject
before, or as soon as possible after, collection.

 Example: An online retailer informing customers that their data will be used for order processing
and delivery purposes.

b. Processed Fairly and Lawfully

 Personal information must be processed in a way that respects the rights of the data subject and
complies with the law.

 Example: A company processing employee data in compliance with labor laws and ensuring data
protection measures are in place.

c. Accurate and Up-to-date.

 The data must be kept accurate and up-to-date, with incorrect or incomplete information being
rectified or deleted as necessary.

 Example: A bank ensuring customer records are regularly updated, and outdated or incorrect
addresses are corrected.
d. Adequate, Not Excessive

 Only the data necessary to fulfill the declared purpose should be collected and processed. Any
excess data should not be collected.

 Example: A job application form asking for relevant educational qualifications and experience,
but not unnecessary details like personal family history.

e. Retained Only for Necessary Period

 Personal data should be retained only as long as necessary for its intended purpose or for legal
obligations. After that, it should be securely deleted or anonymized.

 Example: An employer keeping employment records only for the period required by law and
securely disposing of them once the retention period expires.

 Note: Companies may not retain personal data indefinitely, such as keeping a former employee's
record forever without a legitimate or legal reason.

f. Processed for Historical, Statistical, or Scientific Purposes

 Data may be stored for longer periods for legitimate reasons like historical, statistical, or
scientific purposes, as long as adequate safeguards are in place.

 Example: A university retaining student records for research purposes, provided the information
is anonymized and protected.

5. Data Retention and Disposal

 Explanation: Personal data should not be kept in a form that allows identification of data
subjects longer than necessary. If personal data is retained for extended periods for historical,
statistical, or scientific purposes, it must be anonymized or have sufficient safeguards in place to
protect privacy.

 Example: An archive of customer feedback data may be kept for long-term analysis, but
identifying details should be anonymized.

6. Accountability of the Personal Information Controller (PIC)

 Explanation: The PIC (the entity responsible for the data) must ensure compliance with the data
privacy principles. They are accountable for the actions taken regarding the personal data in
their control, including how it is processed, shared, and secured.

 Example: A company is accountable for ensuring that its third-party service providers handling
personal data comply with data privacy regulations.

Legal Basis:

 These principles and requirements are established under Sections 11, 12, and 17 of the Data
Privacy Act of 2012 (Republic Act No. 10173), and its Implementing Rules and Regulations
(IRR).
Conclusion:

The general data privacy principles of transparency, legitimate purpose, and proportionality guide how
organizations handle personal data, ensuring that individuals' rights are protected while allowing
organizations to use data for legitimate purposes. Proper adherence to these principles helps maintain
data privacy and security, ensuring lawful and ethical data processing.

8. Sub-contracting and Outsourcing

 Definition: This involves a Personal Information Controller (PIC) outsourcing the processing of
data to a Personal Information Processor (PIP) for specific tasks. This is governed by a legal
agreement.

 Example: A company (PIC) hiring a payroll service (PIP) to manage employee data. The PIP
processes the data under the PIC’s instructions.

 Legal Basis: Section 44 of the DPA Implementing Rules and Regulations (IRR) governs
outsourcing arrangements and requires that an outsourcing agreement be in place.

9. Data Privacy Accountability

 Definition: This principle ensures that Personal Information Controllers and Processors are
accountable for ensuring that personal data is handled securely and lawfully.

 Example: If a data breach occurs, the company responsible for the data must take steps to notify
affected individuals and take remedial action.

 Legal Basis: Section 21 of the DPA states that the PICs and PIPs are accountable for personal data
processing, including protecting personal information from unauthorized access or disclosure.

10. Rights of the Data Subject

 Definition: Data subjects have several rights under the DPA, including the right to be informed,
access, correct, and object to the processing of their data.

 Example: A customer has the right to request access to the personal data held by a company and
demand corrections if the data is inaccurate.

 Legal Basis: Chapter IV (Sections 16-19) of the DPA outlines the rights of the data subject,
including the right to access, rectification, erasure, and data portability.

11. Personal Information Controller (PIC)

 Definition: A PIC is any entity that controls the processing of personal data and makes decisions
regarding the use and collection of that data.

 Example: A school acting as a PIC when it collects and stores students’ personal information for
academic purposes.
  Legal Basis: Section 3(h) of the DPA defines a PIC as a person or organization that controls the
processing of personal data.

12. Personal Information Processor (PIP)

 Definition: A PIP is a natural or legal person who processes personal data on behalf of the PIC.

 Example: A cloud storage provider hired by a company to store customer information is a PIP,
processing data on behalf of the PIC.

 Legal Basis: Section 3(i) of the DPA defines a PIP as any natural or legal person to whom a PIC
may outsource the processing of personal data.

13. Penalties for Violation of DPA

 Definition: The DPA imposes penalties for unauthorized processing of personal data, negligence
in protecting sensitive data, and other violations.

 Example: If a company leaks sensitive customer data due to poor security measures, the NPC
may impose penalties, including fines and imprisonment.

 Legal Basis: Sections 25-36 of the DPA outline the penalties, including imprisonment ranging
from 1 to 6 years and fines ranging from PHP 500,000 to PHP 5,000,000, depending on the
violation.

These concepts help outline how personal information should be handled in compliance with data
privacy laws, protecting the rights of individuals while allowing organizations to manage data
responsibly.

Criteria for Processing Sensitive Personal and Privileged Information:

1. Consent from Data Subjects or Parties Involved

o Explanation: Processing sensitive information is allowed when the data subject, or in the
case of privileged information, all involved parties, give specific consent for the defined
purpose before the data is handled. This ensures that individuals have control over how
their personal information is shared and used.

o Example: A law firm may share privileged information from a case only if the client
consents, ensuring confidentiality is preserved unless permission is granted.

2. Processing Required by Law or Regulations

o Explanation: If a law mandates the processing of sensitive or privileged data, it is

permitted without needing consent from the data subject. However, such laws must
provide guarantees that protect this information, maintaining privacy and data security.
 o Example: Schools sharing disciplinary records among teachers, as per the Education Act
of 1982, can implement this without obtaining explicit consent from students, as it falls
under regulatory requirements and is used internally.

3. Protecting Life and Health When Consent is Unobtainable

o Explanation: In emergencies, if a data subject cannot provide consent (e.g., unconscious

in a medical situation), sensitive information can be processed to protect their or
another's life and health. This exception prioritizes safety over consent requirements in
critical situations.

o Example: During a medical emergency, a hospital may share patient data with other
healthcare providers to deliver urgent care, even if the patient is unconscious and
cannot provide consent.

4. Noncommercial Public Organization Purposes

o Explanation: Nonprofit and public organizations may process data necessary for their
lawful, noncommercial goals if the data subject consents beforehand. The information
should be shared only among the organization’s members and not with third parties.

o Example: A nonprofit club processing members’ sensitive health data to organize

suitable activities for them can do so as long as the data is used internally and with the
members’ consent.

5. Medical Treatment by Qualified Medical Practitioners

o Explanation: Data required for medical treatment is permitted to be processed, provided

it’s conducted by licensed medical professionals or institutions with adequate privacy
protections in place. This allows essential information sharing in a regulated and safe
manner for health purposes.

o Example: A hospital may collect and share a patient’s sensitive medical history among
practitioners involved in their care, ensuring the protection of personal health data
throughout the treatment process.

6. Legal Rights, Court Proceedings, or Government Mandates

o Explanation: Processing is allowed when it is essential to protect the legal rights of

individuals or organizations, establish or defend legal claims, or provide necessary
information to public authorities. This protects the ability to use sensitive information in
judicial or legal settings.

o Example: In a legal dispute, a witness may be required by subpoena to testify about

sensitive information related to the case. Here, processing such data is lawful and
necessary for justice.
Criteria for the Lawful Processing of Personal Information:

1. Data Subject's Consent

o Explanation: The most fundamental requirement is obtaining the data subject’s explicit
consent to process their personal information. This gives individuals control and
awareness over how their data is used.

o Example: A retail company obtains customer consent to use their email address for
sending promotional materials.

2. Contractual Necessity

o Explanation: Processing is allowed if it’s necessary for fulfilling a contract with the data
subject or taking steps at their request before entering a contract. This ensures that
essential data can be used to meet contractual obligations.

o Example: An employer gathers information from a job applicant (e.g., contact details,
work history) as part of the hiring process to draft an employment contract.

3. Legal Obligation Compliance

o Explanation: Personal information can be processed if required for compliance with a

legal duty imposed on the information controller. This ensures that entities can fulfill
statutory responsibilities lawfully.

o Example: Banks may report dormant accounts to the government for escheat (claiming
unclaimed property), following legal obligations.

4. Protection of Vital Interests

o Explanation: Processing personal information is permitted if necessary to protect

essential interests of the data subject, especially regarding their life and health. This
ensures data can be shared in emergencies or for healthcare purposes.

o Example: A Health Maintenance Organization (HMO) may use a member’s information

to provide necessary medical treatments.

5. Public Order, Safety, or National Emergency Response

o Explanation: When processing is essential to respond to national emergencies, uphold

public order, or perform mandated functions, it is permitted, prioritizing public welfare
over individual consent.

o Example: Government agencies may process data during a natural disaster to locate
affected individuals and provide aid.

6. Legitimate Interests of Controller or Third Parties

o Explanation: Processing is allowed if it serves the legitimate interests of the controller or

a third party, as long as it doesn’t infringe on the data subject’s fundamental rights. This
provides a balance between business needs and privacy rights.
 o Example: A business may process customer purchasing data to improve service delivery,
as long as it respects customers’ rights to data privacy.

These criteria enable lawful data processing while protecting individual rights and allowing data use in
circumstances like health emergencies, legal requirements, and contractual obligations.

Three-Part Test for Relying on Legitimate Interests in Data Processing

1. Purpose Test

o Explanation: This test examines if the purpose of processing aligns with a legitimate
interest of the personal information controller or a third party. A legitimate interest
should be lawful, specific, and necessary for the functioning of the controller’s services
or business.

o Example: A retail company might process customer purchase history to improve product
recommendations. This is a legitimate interest aimed at enhancing customer satisfaction
and tailoring services.

2. Necessity Test

o Explanation: The processing of personal data must be necessary to achieve the

legitimate interest identified in the purpose test. It requires the controller to consider if
the goal could be met in a way that involves less data or less intrusive processing.

o Example: For effective product recommendations, processing a customer’s purchase

history might be necessary to accurately suggest items they might like, instead of relying
on general customer profiles that may be less relevant.

3. Balancing Test

o Explanation: This test checks whether the legitimate interest outweighs any potential
impact on the individual’s rights and freedoms. The controller should evaluate if the data
subject's privacy rights could be compromised and ensure sufficient safeguards are in
place to mitigate any risks.

o Example: The retail company should assess if customers might feel their data is overly
scrutinized. To balance this, it might limit the recommendation process to recent
purchases only, reducing the amount of data processed and notifying customers clearly
about how their information will be used.

Together, these tests ensure that using legitimate interests as a basis for processing respects both
organizational needs and individual rights. If the organization fails any part of this test, relying on
legitimate interests would not be appropriate, and alternative lawful bases or explicit consent should be
sought.
Invoking Privileged Communication Against the NPC

 Explanation: A personal information controller (PIC) may invoke privileged communication to

prevent the disclosure of sensitive or privileged information to the National Privacy Commission
(NPC) if it is legally protected. Privileged communication refers to certain types of information
that are legally exempt from disclosure, such as lawyer-client communications, doctor-patient
communications, or other sensitive information safeguarded by law. When the NPC seeks access
to information that the PIC claims is privileged, the PIC must justify the privileged nature of the
communication. This process often occurs in a private, executive session to review the nature of
the privilege claim without exposing sensitive information publicly.

o If the NPC determines that the information is indeed privileged, it will be excluded from
evidence and will not appear in official records.

o However, if the privileged communication itself is involved in a privacy violation or data

breach investigation, the NPC may review it solely for investigative purposes, without
including it in the case’s records.

 Example: Suppose a law firm acting as a PIC is under NPC investigation for a potential data
breach involving client information. The firm can invoke attorney-client privilege to protect client
communications from being disclosed as evidence. In an executive session, the firm would need
to demonstrate to the NPC that the information is indeed privileged. If the NPC agrees, the
privileged communication remains excluded from the records. However, if the breach specifically
concerns these privileged communications, the NPC could examine them but would refrain from
including the content in the official investigation record.

This balance aims to respect the confidentiality of legally protected information while enabling necessary
investigations into data privacy concerns.

The five pillars of data privacy accountability and compliance are essential steps that organizations
must implement to protect personal data and comply with data privacy laws like the Data Privacy Act
(DPA). Here’s an explanation of each pillar with examples:

1. Appoint a Data Protection Officer (DPO)

o Explanation: A DPO is responsible for overseeing the organization’s compliance with

data privacy laws and regulations. The DPO handles data protection policies, provides
guidance on compliance, and acts as a contact point for data subjects and regulatory
authorities.

o Example: A healthcare provider hires a DPO to ensure that patient information is

protected in line with data privacy laws. The DPO trains staff on privacy practices,
advises on legal obligations, and ensures proper response to data subjects’ requests.

2. Conduct a Privacy Risk Assessment

 o Explanation: Privacy risk assessments help organizations identify potential risks in their
data processing activities and assess the impact on data subjects' rights. This assessment
helps to develop strategies to mitigate identified risks.

o Example: An e-commerce platform conducts a privacy risk assessment before launching

a new feature that collects customer location data. The assessment identifies potential
risks, such as unauthorized access, and the company strengthens its encryption methods
to mitigate them.

3. Establish a Privacy Management Program and Codify it into a Privacy Manual

o Explanation: A privacy management program formalizes the organization’s approach to

data privacy and is documented in a privacy manual. This program includes policies,
procedures, and controls for handling personal data.

o Example: A bank develops a privacy management program that outlines its data-
handling procedures, such as data retention periods and customer notification practices.
This program is documented in a privacy manual that all employees must follow.

4. Implement Privacy and Data Protection Measures

o Explanation: Organizations must apply technical and organizational measures to protect

personal data, such as encryption, access controls, and data minimization. These
measures are designed to safeguard data from unauthorized access, loss, or breach.

o Example: A tech company implements multi-factor authentication for accessing

customer data, restricts access to certain data fields based on employee roles, and
conducts regular security audits to identify vulnerabilities.

5. Exercise Breach Reporting Procedures

o Explanation: Organizations should have a breach reporting process in place to notify

relevant authorities and affected individuals promptly in case of a data breach. This
includes steps to contain and address the breach and mitigate its effects.

o Example: After a breach that exposed customer emails, an online retailer follows its
breach reporting procedure by immediately informing the NPC, alerting affected
customers, and offering credit monitoring services to mitigate potential harm.

These pillars form a framework that organizations must follow to establish accountability, protect data,
and ensure compliance with data privacy laws.
Limitations to Data Subject Rights:

The rights of a data subject may be limited in specific situations:

1. Scientific and Statistical Research:

o When personal data is used solely for research and statistical purposes, without
influencing any actions or decisions about the individual, data subject rights are limited.
Strict confidentiality must be maintained, and data should be used only for the stated
research purpose.

When researchers collect personal data solely for scientific or statistical purposes, the
rights of the data subject may be limited to facilitate the research.

Example: A university conducts a study on the effects of a new medication. Participants’ health
data is collected and analyzed to assess the medication’s effectiveness. During this research, the
university may limit participants' rights to access or delete their data, as doing so could
compromise the integrity of the study. The data will be kept confidential and used only for the
research project, ensuring that individual identities remain protected.

2. Criminal, Administrative, or Tax Investigations:

o Data subject rights may also be restricted when data is collected for investigations
related to criminal, administrative, or tax liabilities. These limitations are to be minimal
and strictly for achieving the purposes of the investigation.

Data subject rights may also be limited when personal data is processed for investigations
concerning criminal activity, administrative compliance, or tax liabilities.

Example: A government agency is investigating potential tax fraud involving a business.

To gather evidence, the agency may collect personal data related to the business owner's
financial records without providing immediate access to that data to the individual under
investigation. In this scenario, the limitation on the data subject's rights ensures that the
investigation can proceed without interference, while also mandating that any data
collected is used solely for the purpose of the investigation and remains confidential.

In both cases, the data subject's rights are limited only as necessary to fulfill the research or investigative
objective.

Obligations of Personal Information Controllers (PIC) or Processors (PIP) under the Data Privacy Act
(DPA):

1. Security of Personal Information:

 o Implement appropriate safeguards to protect personal data against unauthorized access,
alteration, or destruction.

Example: A healthcare provider implements encryption technology and multi-factor

authentication for its electronic health records system. This ensures that only authorized
personnel can access sensitive patient information, thereby protecting against unauthorized
access or data breaches.

2. Accountability for Data Transfers:

o Ensure protection and accountability for personal data transferred to third parties or
processors, both domestically and internationally, using contracts or safeguards to
maintain data security.

Example: A financial institution that outsources its customer service operations to a

third-party provider in another country enters into a contractual agreement that
specifies strict data protection measures. The contract includes clauses that require the
third party to implement equivalent security protocols and report any potential data
breaches, ensuring that personal data remains protected during and after transfer.

3. Data Breach Notification:

o Notify the National Privacy Commission (NPC) and affected data subjects within 72 hours
of any data breach that could harm the data subject, particularly if sensitive information
has been accessed by unauthorized persons.

Example: A retail company discovers that a hacker has accessed its customer database and
obtained sensitive payment information. Within 72 hours of the breach, the company notifies
the National Privacy Commission (NPC) and sends alerts to affected customers, informing them
of the breach and advising them to monitor their accounts for suspicious activity. This prompt
notification helps mitigate potential harm to the affected individuals.

Difference between a Data Breach and a Security Incident:

 Data Breach: This is a specific type of security failure where personal data is accidentally or
unlawfully destroyed, lost, altered, or accessed without authorization. For example, if an email
containing sensitive information is sent to the wrong person, it constitutes a data breach.

 Security Incident: This is any event that could potentially compromise data protection or
threaten the availability, integrity, or confidentiality of data. Security incidents may not result in a
data breach if safeguards prevent unauthorized data exposure. For instance, a failed login
attempt is a security incident but not necessarily a data breach.
The right to be forgotten allows individuals to request the removal of personal information from search
engine results if it is outdated, irrelevant, excessive, or no longer necessary. For example, a person might
request Google to remove links to articles that are no longer relevant to their current reputation.

Under the Philippine Data Privacy Act (DPA), a similar right exists as the right of erasure or blocking.
Data subjects may request the deletion, blocking, or removal of their personal data from a personal
information controller’s system if the data is inaccurate, unlawfully collected, or no longer necessary for
its original purpose.

Example: If someone’s old job application details are stored on a company’s system but are no longer
relevant or necessary, they may request the company to delete this information.

Outsourcing vs. Data Sharing involves different arrangements for handling personal data, particularly in
terms of the roles of the parties involved, their objectives, and the governing agreements. Here’s a
breakdown of the distinctions:

1. Roles of the Parties Involved

 Data Sharing: In a data sharing agreement, all parties involved are considered personal
information controllers (PICs). This means that each party independently determines the
purposes and means of processing the data.

 Outsourcing: In an outsourcing or subcontracting agreement, at least one party must be a

personal information controller, and the other must be a personal information processor (PIP).
The PIP processes personal data on behalf of the PIC, following their instructions without any
independent purpose.

Example:

 Data Sharing: A marketing firm and an e-commerce platform enter a data sharing agreement to
jointly analyze customer data. Both companies independently decide how to use the data to
enhance their marketing strategies. They both have their own purposes for processing the
shared data.

 Outsourcing: A bank hires an IT company to manage its customer database. Here, the bank (PIC)
retains control over the data and instructs the IT company (PIP) on how to process that data for
tasks like maintenance or data storage. The IT company does not have its own purposes for
processing; it simply acts under the bank's instructions.

2. Objectives of Processing

 Data Sharing: Each party in a data sharing agreement has its own distinct objectives for
processing the personal data involved. This means that the parties may use the same data for
different purposes.

 Outsourcing: In outsourcing agreements, the PIP processes personal data solely based on the
directions of the PIC, without pursuing any independent objectives.

Example:
  Data Sharing: A university and a research institution share student data for different research
projects. The university might use the data for educational insights, while the research
institution focuses on demographic trends.

 Outsourcing: A payroll company processes employee salary data for a company. The payroll
company’s only objective is to execute payroll according to the instructions given by the
employer, without any independent purpose for the data.

3. Governing Agreements

 Data Sharing: Governed by a data sharing agreement that outlines how the data will be shared,
processed, and protected by each party.

 Outsourcing: Governed by an outsourcing agreement that details the responsibilities of the PIC
and the PIP, including compliance with data protection laws.

Example:

 Data Sharing Agreement: The university and research institution sign a formal data sharing
agreement specifying their rights and obligations regarding the shared student data.

 Outsourcing Agreement: The company and payroll provider sign an outsourcing agreement
detailing the scope of services, data handling procedures, and security measures to be followed
by the payroll provider.

In summary, while both data sharing and outsourcing involve the handling of personal data, they differ
significantly in the roles of the parties involved, the objectives of data processing, and the types of
agreements that govern these arrangements.