Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Employers and other personal information controllers (PICs) in the Philippines are responsible for protecting the personal information that they transfer to third parties for processing. Transferring data to third parties, whether locally or internationally, requires contractual or other reasonable means to ensure an equivalent level of data protection.
Employers must obtain consent when transferring personal data, even to related companies. For example, employers must request consent when transferring employee payroll data from the local HR team to the parent company located outside the Philippines. Some companies, in obtaining the consent of the employee at the start of employment, already indicate the other specific purpose/s which may arise thereafter.
If personal data is being transferred through a data sharing agreement, employees must be notified in advance of: the identity of the PIC or Processor who will be given access to the data; the purpose of data sharing; categories of personal data that will be shared; intended recipients or categories of recipients; and, the existence of the employee’s rights (including the right to access, correct and object). Data sharing is the disclosure/transfer of personal data to a third party under the custody of a PIC or personal information processor (PIP). Data sharing happens between PICs who have separate and distinct purposes for processing data (note, the employee must provide consent).
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Obtain consent in advance, for all personal data that will be stored in the cloud or transferred outside of the Philippines. Personal data should only be transferred when an adequate level of protection is ensured and contractual or other reasonable agreements are put in place.