Technology & Outsourcing 2025 Comparisons

Cloud computing, software as a service (SaaS), AI automation, cybersecurity, digital transformation initiatives, remote work, distributed teams, nearshoring, reshoring, sustainability, and green IT are some of the key market trends shaping the IT landscape. These technologies are making outsourcing and offshoring more seamless by improving communication and connectivity between global teams, such as those in the head office and their counterparts in Manila.

In particular, cloud computing and remote collaboration tools have made interactions between geographically dispersed teams more efficient, resulting in enhanced customer service.

The Securities and Exchange Commission of the Philippines, citing the Department of Trade and Industry, defines business process outsourcing (BPO) as the “delegation of service-type business processes to a third-party service provider”. In the Philippines, the industry is generally divided into the following sectors: contact centres, back-office services, data transcription, animation, software development, engineering development, and game development.

Philippine legislation also plays an active role in shaping the IT outsourcing sector. The Electronic Commerce Act of 2000 (Republic Act No 8792) has greatly facilitated the execution of commercial and outsourcing agreements by recognising electronic contracts, signatures, and documents, thereby providing a robust legal framework for digital transactions. Furthermore, the Ease of Doing Business and Efficient Government Service Delivery Act of 2018 (Republic Act No 11032) has streamlined government procedures for business permits and licensing, reducing red tape and improving efficiency and speed in commerce.

In 2023, the Internet Transactions Act (Republic Act No 11967) was enacted, establishing the operational framework for cloud computing, SaaS, artificial intelligence, and remote service models that support cross-border teams. The law applies to both business-to-business and business-to-consumer e-commerce when at least one party is based in the Philippines, or when a platform or merchant engages with the Philippine market. Among its key digital initiatives are the creation of the e-Commerce Bureau, tasked with regulating online transactions, and the implementation of an Online Dispute Resolution mechanism for consumers, merchants, e-retailers, and other digital platforms.

BPO is evolving with trends such as the integration of robotic process automation (RPA) and AI, a heightened focus on customer experience (CX), and support for digital transformation. The adoption of cloud-based solutions, advanced analytics, and knowledge process outsourcing (KPO) is also prominent. The industry is adapting to remote and virtual BPO models, emphasising multilingual and multichannel support, and prioritising compliance and data security. Additionally, sustainability and corporate social responsibility (CSR) are gaining importance. These developments are enhancing efficiency, cost savings, customer experience, agility, scalability, data-driven insights, and access to specialised expertise, positioning BPO as a key element of modern business strategy.

Incentives and strategic locations continue to drive BPO growth in the country. Registration under the Special Economic Zone Act (Republic Act No 8748) and the CREATE Law (Republic Act No 11534) framework enables IT-BPO projects to benefit from income tax holidays and either the special corporate income tax or enhanced deductions. These incentives are complemented by exemptions from customs duties on qualified imports and VAT zero-rating on local purchases directly and exclusively used in their registered business activities.

The hybrid work model continues to disrupt traditional workplace structures. In 2022, the Fiscal Incentives Review Board authorised IT-BPO companies operating within special economic zones to transfer their registration to the Philippine Board of Investments, allowing them to adopt hybrid work arrangements without forfeiting their fiscal incentives. In line with these developments, the Telecommuting Act (Republic Act No 11165) affirms the principle of equal treatment between on-site and remote employees, ensuring parity in rights and benefits.

Another key trend is the engagement of an existing Philippine “employer of record” (EOR) company to expedite the outsourcing and hiring of a local team while the “owned” Philippine entity is being established. An EOR is a third-party service provider that can immediately onboard employees by placing them under its payroll. Once the client’s Philippine entity is fully registered, these employees are then transferred from the EOR to the owned entity.

EOR arrangements must be structured to comply with Philippine labour contracting rules, which prohibit labour-only contracting. The indicators of labour-only contracting include situations where the contractor lacks substantial capital, does not exercise control over its employees, or where the employees perform activities directly related to the principal’s core business and the contractor has no substantial capital or investment in tools, equipment, or premises.

To prevent such circumvention, the Department of Labor and Employment (DOLE) requires compliance with Department Order 174 (DO 174) and implements Articles 106 to 109 of the Labor Code of the Philippines. Under DO 174, a legitimate contractor must:

• be registered with the appropriate DOLE Regional Office;
• have substantial capital, which means paid-up capital stock/shares of at least PHP5 million for corporations, partnerships, and co-operatives, or a net worth of at least PHP5 million for single proprietorships;
• carry on a distinct and independent business and assume responsibility for performing the contracted service using its own methods and resources, free from the control of the principal except regarding the results of the work;
• exercise control over its employees’ work performance and methods, except for the final result; and
• own or have the right to use tools, equipment and machinery, and supervise its workers.

Notably, DO 174 ensures that a contractor’s employees enjoy all rights and privileges under Philippine labour laws, including safe working conditions, labour standards compliance, and security of tenure. Employees also have recourse against the principal, who is deemed jointly and severally liable with the contractor for any violations.

Statutory employer obligations also attach with EORs. Thus, EORs are required to remit all government-mandated contributions and benefits, including those under the Social Security Act of 2018, the Universal Health Care Act through PhilHealth, and the Home Development Mutual Fund Law. Further, EORs are obligated by law to withhold compensation tax under Section 79 of the National Internal Revenue Code (NIRC).

New technologies like AI, chatbots, machine learning, robotics, RPA, blockchain, fintech, and smart contracts are having a big impact on how customer service is delivered by BPOs.

On the one hand, these technologies improve efficiency and reduce costs by automating tasks and generating valuable insights. Chatbots, for instance, can provide customers with instant support at any time of day. On the other hand, there are industry concerns that such technologies could eventually replace the need for human support and interaction, potentially leading to a decline in the BPO industry in the Philippines and resulting in job losses.

In the short and even medium term, however, these technologies are more likely to complement rather than replace the services provided by BPO workers. They are expected to enhance customer service through the efficiencies they create. In the longer term, governance initiatives have begun signalling a shift towards a more structured, risk-based approach to integrating new technologies such as AI into operations.

At the time of writing, there are no comprehensive legal frameworks in the Philippines specifically regulating the impact of emerging technologies on the workforce and the broader digital economy. Striking a careful balance between sustaining technological progress and avoiding overexposure to its attendant risks, current policy proposals have been measured and deliberate. Legislative initiatives in the 20th Congress of the Philippines have primarily focused on establishing regulatory principles and frameworks.

In the Senate, several key proposals have been introduced: Senate Bill No 25 seeks to establish a National AI Commission; Senate Bill No 29, recognising the potential displacement caused by labour-saving technologies, mandates government-led upskilling programmes for the workforce; and Senate Bill No 182 proposes the creation of a National Task Force on Digital Economy Job Disruption to develop safety nets, financial assistance schemes, reskilling initiatives, and career transition support within the private sector.

In the House of Representatives, attention has turned towards addressing the identity and content risks posed by AI-generated media. Various bills have been filed to protect image, voice, and likeness, as well as to regulate or penalise the creation and distribution of deepfakes. These proposals also introduce takedown procedures and remedies that could shape platform governance and content moderation policies in the Philippines. As much of the back-office or content moderation work for social media platforms is performed remotely by BPO agents in the country, such legislation could have significant implications for the operational strategies and compliance frameworks of affected IT-BPO service providers.

The Philippines is a leading outsourcing destination, known for its skilled, English-proficient workforce and cost-effectiveness. The most commonly outsourced services include customer service and call centres, back-office functions like data entry and transcription, IT services such as software development and cybersecurity, and HR and recruitment. Finance and accounting, medical and healthcare services, content creation and digital marketing, legal process outsourcing, engineering services, and e-commerce support are also significant. These services leverage the Philippines’ competitive advantages, making it a preferred choice for businesses seeking efficient and reliable outsourcing solutions. We have had the opportunity to assist with most of these activities and functions that are being outsourced or offshored to Philippine-based staff.

The BPO sector in the Philippines remains on a steady growth trajectory. In 2024, the Information Technology and Business Process Association of the Philippines reported that the industry had surpassed its revenue targets for the fiscal year and is poised for further expansion in 2025. With the rise of competitive outsourcing firms and the growth of the freelance economy, client demand is increasingly shifting towards value-driven work and higher-quality outputs. The Financial Times has identified significant activity in areas such as finance, healthcare, legal operations, data and analytics, cybersecurity, and software support.

Equally noteworthy is the BPO sector’s expanding geographic footprint. While Metro Manila previously dominated the outsourcing landscape, the Philippine Economic Zone Authority (PEZA) has reported growing diversification and growth in regional talent pools in Cebu, Clark, Iloilo, Bacolod, Davao, and Cagayan de Oro. The near-term outlook for the industry, therefore, remains positive.

Generally, there are no statutory or regulatory restrictions on technology transactions or outsourcing in the Philippines. However, there are some industries that have restrictions as to what activities can be outsourced by a company, which are discussed in different sections of this chapter.

Where foreign companies outsource specific business processes to the Philippines, there are generally no industry-specific restrictions imposed by Philippine law. Any limitations are more likely to stem from the regulations of the country or jurisdiction where the foreign company is based, which may govern what tasks can be outsourced, how they are outsourced, and where they can be performed.

However, within the Philippines itself (ie, intra-country outsourcing), there are some industry-specific restrictions such as those for Philippine banks, insurance companies, and securities brokers/dealers. 

For Banks

The Manual of Regulations for Banks (MORB) issued by the Central Bank of the Philippines (Bangko Sentral ng Pilipinas, BSP) provides that a bank may outsource to third parties or to related companies in the group, in accordance with existing Central Bank regulations, certain services, or activities to have access to certain areas of expertise or to address outsource constraints, as long as it has appropriate processes, procedures, and information systems that can adequately identify, monitor, and mitigate operational risk arising from outsourced activities, and provided that the bank’s board of directors or senior management remain responsible for ensuring that outsourced activities are conducted in a safe manner and in compliance with applicable laws, rules and regulations.

The MORB also provides that the following inherent banking functions cannot be outsourced:

• accepting deposits from the public;
• granting loans or extending other credit exposures;
• managing risk exposures; and
• general management.

Section 112 of the MORB also sets the framework for bank outsourcing. The MORB permits banks to engage in outsourcing in three ways: as a service provider, through intra-group outsourcing, and via offshore outsourcing.

As a service provider, a bank may enter into outsourcing agreements outside its corporate group, provided that it complies with BSP guidelines, relevant laws, and applicable regulations. The bank may also offer services to its depositors in its capacity as a depository institution.

In intra-group outsourcing, banks may enter into outsourcing agreements without BSP approval if three conditions are present:

• The service is in the ordinary course of business.
• The provider is a regulated financial institution.
• The recipient is a subsidiary, affiliate, or a company under common ownership.

The intra-group service provider may enter into a subcontracting agreement provided that said arrangement is regulated and authorised, as applicable, by the intra-group service provider’s relevant regulatory authority. The bank should ensure that the service provider has a sound financial condition and has the necessary competency to provide such service.

Lastly, the bank may enter into offshore outsourcing provided that the service agreement defines counterparties’ rights and responsibilities on confidentiality and data privacy and the service provider operates in jurisdictions with existing confidentiality and/or data privacy laws that are not in conflict with existing Philippine laws and relevant regulations.

If confidentiality, customer redress, or supervisory access cannot be assured, the BSP may order the bank to end the arrangement, change its terms, or use an alternate structure.

For Insurer/Reinsurer Functions

The Insurance Commission (IC) has issued a Circular Letter which provides for functions that cannot be outsourced by an insurer/reinsurer as these are directly related to “doing or transacting insurance business”:

• solicitation activities, which shall only be carried out by the insurer/reinsurer, licensed agents and/or brokers, except to the extent allowed by guidelines from the Insurance Commission;
• the decision whether or not to undertake risk/s, which shall only be undertaken by the insurer/reinsurer and/or licensed non-life company underwriter(s);
• the decision whether or not to approve or reject an insurance/reinsurance claim, which shall only be undertaken by the insurer/reinsurer; and
• loss adjustment, which shall only be undertaken by the insurer/reinsurer and/or licensed independent or public adjuster(s).

Notwithstanding the foregoing, the insurer/reinsurer may engage advisory or consultancy services of a BPO provider in the performance of the aforementioned functions or business processes.

Currently, the IC allows outsourcing outside its non-delegable functions, subject to minimum regulatory controls. Permissible outsourced activities include support work for policy administration, accounting, customer support, claims documentation, IT operations, analytics, and finance services. However, the IC mandates that the company remains ultimately responsible and accountable. Accordingly, its provider must be vetted as financially sound and competent, maintain compliance with IC standards, and ensure contracts preserve audit and access rights to the regulator. Personal data handling must also comply with the Data Privacy Act (DPA).

Regarding outsourced agreements, the IC initially required pre-approval of BPO agreements in 2019, then removed pre-approval and shifted to an annual reporting approach. The present rule is to file an annual report covering outsourcing agreements related to the conduct of insurance or reinsurance business, subject to examination.

For Broker Dealers

The Securities and Exchange Commission (SEC) issued a memorandum circular regulating outsourcing by broker dealers. Broker dealers can outsource back-office functions provided such broker dealers do not outsource: (i) material activities or (ii) any activity that involves any interaction or direct contact with the clients of the broker dealer for the purpose of buying and/or selling securities or the solicitation of investments in securities, except in cases permitted under the Securities Regulation Code, the Anti-Money Laundering Act, as amended, or other law, rule or regulation. Further, clearing and settlement activities may only be outsourced to service providers who are authorised by SEC to conduct such activities.

Such outsourced activities may further be subcontracted by the service provider provided (i) the principles and standards provided under such memorandum circular shall likewise be applicable to the subcontractor; (ii) that such outsourcing is without prejudice to the right of the broker or dealer to prohibit any further subcontracting by the service provider; and (iii) that any further subcontracting shall not be implemented without prior notice to SEC.

Foreign companies seeking to outsource to the Philippines should also be aware of any statutory restrictions in their home countries that might impact the outsourcing process.

The Data Privacy Act of 2012 (DPA) governs all forms of personal information processing in the Philippines, setting out clear guidelines on when such processing is permissible. The processing of personal information is allowed under the following circumstances:

• when the data subject has given his/her consent;
• when processing personal information is necessary and is related to the fulfilment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
• when the processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
• when the processing is necessary to protect vitally important interests of the data subject, including life and health;
• when processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfil functions of public authority that necessarily include the processing of personal data for the fulfilment of its mandate; or
• when the processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

It also provides for the criteria for the lawful processing of sensitive personal information:

• when the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
• when the processing of the same is provided for by existing laws and regulations, as long as, such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information and that the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
• when the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
• when the processing is necessary to achieve the lawful and non-commercial objectives of public organisations and their associations, as long as such processing is only confined and related to the bona fide members of these organisations or their associations, that the sensitive personal information is not transferred to third parties, and that consent of the data subject was obtained prior to processing;
• when the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
• when the processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defence of legal claims, or when provided to a government or public authority.

The DPA allows the cross-border transfer of personal information from the Philippines to another jurisdiction. Recently, the National Privacy Commission (NPC) of the Philippines released several advisories and guidelines on the following:

• advisory on model contractual clauses for cross-border transfer of personal data (however, the adoption of these clauses is only recommended rather than mandatory);
• guidelines for obtaining consent from data subjects and guidelines on the legitimate interest (these guidelines, while not specifically for technology transactions and outsourcing, will serve as helpful guidelines for various industries when it comes to processing personal information of clients, employees, suppliers, and other people that they transact with);
• requirements for the security of personal data processed by personal information controllers (PICs) or personal information processors (PIPs) (these guidelines cover, inter alia, transfer of and access to personal information, usage of authorised devices, disposal and destruction of personal data, business continuity plans, and removable or portable storage media for processing of personal information); and
• requirements for a data sharing agreement.

Where outsourcing involves personal data, the DPA and its implementing rules apply, and the data controller retains ultimate responsibility for compliance – even where a personal information processor performs the task. The law explicitly affirms that accountability lies with the controller. 

In practice, this means the outsourcing contract should comply with several security safeguards under the directions of the controller. These include: clearly identifying the lawful basis for processing; limiting data use strictly to agreed purposes; implementing security measures consistent with the National Privacy Commission (NPC)’s standards; and ensuring prompt breach notifications within the seventy-two-hour reporting window.

These contractual and operational safeguards are reinforced by recent issuances of the NPC, which provide detailed regulatory guidelines.

NPC Circular No 2023-06 (on Security of Personal Data) sets the current security baseline for controllers and processors. The circular mandates a privacy impact assessment for each processing system.  For outsourced activities, a concrete security safeguard that the controller can introduce to the processor is the presence of contractual controls within the processor’s procedures. In other words, this means there must be a documented control framework in the contract, privacy by design and by default must be the norm for both parties, and encryption and depersonalisation must always be operational.

NPC Circular No 2023-04 (on Consent) sets out how to obtain and document consent approvals. NPC Circular No 2023-07 (on Legitimate Interest) details that legitimate interest requires regulatory tests such as a purpose test, necessity test, and balancing test. Notably, these tests do not apply to sensitive personal information or privileged information. In outsourcing, this means that the controller must select the lawful basis and ensure the processor supports it through appropriate documentation.

As regards personal data breaches, NPC Circular No 16-03 requires seventy-two-hour notification to the NPC of any knowledge or reasonable belief of a possible breach affecting the data subjects concerned. In terms of outsourcing, this translates to tighter controls by the controller over the processor, whereby the former can institute shorter time periods for breach notification to allow time for remediation before reporting to the NPC.

The NPC has also intensified its enforcement regime. NPC Circular No 2022-01 establishes a schedule of fines, including penalties of up to 3% of annual gross income for serious violations, capped at PHP5 million per incident. These fines can serve as a reference for penalty clauses between controllers and processors in cases of negligence or breach.

Finally, aligning with international data protection practices, NPC Advisory No 2024-01 recognises the use of model contractual clauses (MCCs), such as the ASEAN MCCs, and standard contractual clauses (SCCs), such as those of the EU, as voluntary tools for allocating responsibilities and demonstrating accountability in cross-border data transfers.

In outsourcing transactions, there is no standard model contract used universally. Typically, companies employ some form of a services contract. For companies seeking tax exemptions, specific provisions are essential, including a detailed description of the services to be provided, the currency in which payment is made, proof of payment, the tax situs of the service, and compliance with tax regulations in invoicing. Additionally, transfer pricing considerations are important when drafting an outsourcing services contract.

At a minimum, standard contract models contain boilerplate provisions covering scope and service levels, change control, audit and access rights, confidentiality, information security, data processing under the DPA and the latest NPC circulars, business continuity, exit assistance, and a clear allocation of responsibilities for incident management and breach notification consistent with the NPC’s seventy-two-hour rule. For cross-border transactions, contracts should incorporate security safeguards that, at the very least, align with DPA standards.

The most common contract model is a bilateral services contract between the client and the outsourcing service provider. Joint ventures and multi-sourcing arrangements are rare in the outsourcing sector in the Philippines.

Digital transformation has impacted the delivery of outsourced and offshored services, altering the content of outsourcing contracts. While the contract structure remains largely the same, its contents have become more detailed, especially regarding data privacy, intellectual property, security, and confidentiality.

Increasingly, outsourcing contracts place greater emphasis on privacy, security, and intellectual property protection. Data processing clauses should specify security controls, breach response timelines, and the lawful basis for processing as determined by the data controller. Additionally, with the rise of AI in commercial transactions, adding practical guardrails in clauses is also advised. Defining ownership of data inputs, outputs, and resulting work products reduces the likelihood of disputes. Moreover, as the NPC strengthens its regulatory oversight, it is now mandatory to ensure human oversight in processes involving material decisions, to prevent full automation without accountability.

Due diligence processes for selecting outsourcing providers have also become significantly more robust. To guarantee that an outsourcing provider complies with privacy regulations and that its employees are adequately trained in data handling requirements, contracts now include additional, specific representations and warranties concerning data privacy compliance. This thoroughness in due diligence has expanded beyond mere contractual warranties. Outsourcing partners are now subject to third-party review of their background, the training provided to their data handlers, and their established security protocols. Providers who can effectively evidence compliance with this minimum standard typically achieve more favourable commercial outcomes.

The Philippines operates under a mixed legal system shaped by successive colonial rule. Spanish civil law forms the backbone of private law, later complemented by American common law influences. Customer protection is grounded in local statutes on contracts, privacy, and intellectual property. Contract law follows the Western legal tradition, with a strong Spanish lineage reflected in the Civil Code. Core rules on perfection, consummation, termination, and dispute resolution remain rooted in that tradition. A contract is the law between the parties, so customers may rely on clear terms and conditions together with statutory remedies when disputes arise.

Privacy laws and regulations generally follow European standards found in the General Data Protection Regulation (GDPR). Intellectual property laws are shaped by the different treaties that the Philippines has acceded to, such as the Convention Establishing the World Intellectual Property Organization (1980), Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) (1994), Patent Cooperation Treaty (2001), and the WI PO Copyright Treaty (2002).

Termination is generally based on grounds provided in the service contract between the customer and the BPO company, which is mostly based on breach of contractual provision. Termination may also be based on law, which is mostly based on the Civil Code of the Philippines.

Likewise, customer rights upon termination are also based on the grounds provided in the service contract between the customer and the BPO company as well as the Civil Code. The allocation of liability for damages will depend on which party is deemed to be in breach of the contract, with the responsible party held liable for any resulting damages.

Upon termination, protocols on securing or destruction of data of providers should be in place, including residual copies thereof. Data retention policies are also advised to be aligned with company policies, especially those with an international presence. Nonetheless, it is recommended that data retention duration should be aligned with the claims period under the Labor Code of the Philippines and recording-keeping requirements under the NIRC and Anti-Money Laundering Act.

The distinction between direct and indirect loss is relevant in determining the type of damages that can be claimed.

Under Philippine laws, actual damages constitute compensation for sustained pecuniary loss. However, to be awarded actual damages, the pecuniary loss must be substantiated with concrete evidence, such as receipts. Both direct loss and indirect loss may be recoverable through actual damages but it is easier to prove direct loss since pecuniary loss is comparatively easier to prove in direct loss than in indirect loss.

In the absence of such proof, temperate or moderate damages may be awarded. Temperate or moderate damages may be awarded when the court finds that some pecuniary loss has been suffered but its amount cannot be determined with certainty. Temperate or moderate damages can be awarded for either direct or indirect losses.

Loss of profit forms part of actual damages which must be established with competent proof and a reasonable degree of certainty. Further, loss of profits on account of delay or failure of delivery may be recovered only if such damages were reasonably foreseen prior to contracting.

On the other hand, loss of goodwill is considered part of moral damages. As a general rule, moral damages cannot be awarded to corporations. A corporation may acquire goodwill or reputation of its own, and when it is harmed, the corporation may recover moral damages.

Under Philippine law, rights can generally be waived, though certain exceptions exist. Waivers are invalid if they are contrary to law, public order, public policy, morals, or good customs, or if they prejudice a third party with a legally recognised right.

Notably, any waiver of responsibility for future fraud is void, as responsibility arising from fraud is always enforceable.

Lastly, with regard to liquidated damages, these are pre-agreed amounts specified by the parties to a contract. However, the amount of liquidated damages is limited to the agreed sum unless the nature of the breach does not correspond to the breach for which the liquidated damages were intended. In such cases, the measure of damages will be determined by law, not by the parties’ agreement.

Contracting parties may establish stipulations, clauses, terms and conditions as they may deem convenient, provided they are not contrary to law, morals, good customs, public order or public policy. This means that, generally, laws are deemed written into every contract, even special laws. Under the Electronic Commerce Act of 2000, an electronic execution of a contract and electronic records thereof are valid and admissible to the Rules of Evidence. For online operations, obligations under the Internet Transactions Act of 2023 apply to platforms, e-retailers, and merchants. This also includes co-operation with government agencies regarding referrals to an online dispute resolution facility. Although a contract is often described as the “law between the parties”, the provisions of positive law that regulate contracts are always considered to be incorporated within it. These statutory provisions consequently limit and govern the relationship between the parties. These fundamental legal principles hold true for all modern commercial agreements, including those for technology or outsourcing.

Under Philippine laws, if a PIP is processing personal information on behalf of a PIC as their client, the DPA requires that the contracting parties execute a contract or other legal act (like an outsourcing or subcontracting agreement) that will bind the PIP to the PIC.

In outsourcing, the DPA requires that the PIC use contractual or other reasonable means to ensure that proper safeguards are in place to ensure confidentiality, integrity, and availability of the personal data processed, prevent its use for unauthorised purposes, and comply with the requirements of the DPA, its Implementing Rules and Regulations (IRR), other applicable laws for processing of personal data, and other issuances of the NPC. The IRR of the DPA further provides for certain provisions that must be stipulated in such contract or any legal act entered into by the parties.

On the other hand, if one party is sharing personal information with another party for a completely different purpose, the NPC suggests that a data sharing agreement be entered into by the parties involved.

A data sharing agreement is an agreement that sets out the obligations, responsibilities, and liabilities of the personal information controllers involved in the transfer of personal data. While the execution of a data sharing agreement is not mandatory, it is still best practice to execute one when sharing personal data from one personal information controller to another. The NPC issued a guide for the creation of a data sharing agreement. It details what the NPC expects to find in such agreement. The guide also states that if the disclosure or public access is facilitated by an online platform, the program, middleware, and encryption method that will be used should also be identified.

More recently, the NPC issued a circular clarifying that a data sharing agreement is not a legal requirement for data sharing to be considered lawful. Nevertheless, the NPC continues to recommend the use of such agreements, as they promote accountability and demonstrate stronger compliance with data privacy regulations. In all instances, parties engaged in data sharing must adhere to the fundamental principles of transparency, legitimate purpose, proportionality, and consent.

Both outsourcing and data sharing agreements require that the organisational, physical, and technical security measures to be adopted by the parties for the protection of personal information be included in the outsourcing contract or data sharing agreement.

In both instances, the NPC emphasises the exercise of rights by data subjects. Both documents must include provisions informing data subjects how they can exercise their rights, including how the data subjects can communicate with the data protection officer of each contracting party for the exercise of such rights.

In addition to this, it is not unusual for any contracting party to require the other party to sign a non-disclosure agreement or a confidentiality agreement. Agreements like these serve to protect not just the personal information that is being shared by one party with the other, but other confidential business matters, trade secrets, and intellectual properties that are being shared. 

As regards business continuity, a circular by the NPC requires a PIC or PIP to prepare a business continuity plan in order to mitigate potential disruptive events. The PIC or the PIP should consider the following:

• personal data back-up restoration, and remedial time;
• periodic review and testing of the business continuity plan, taking into account disaster recovery, privacy, business impact assessment, crisis communications plan, and telecommuting policy, among others; and
• contact information and other business-critical matters – eg, electrical supply, building facilities, information and communications technology (ICT) assets.

With a lot of companies in the Philippines practising a hybrid work set-up, the NPC also provides some security measures that may be taken by PICs or PIPs:

• training on the limitations on use of company-issued computing devices with secure configuration of the PIC’s ICT assets to protect against security risks and cyberthreats such as unauthorised access, malware, data loss, and theft;
• best password management and secured practices in managing online accounts, computers, mobile phones, and network appliances; and
• periodic training on data privacy, cybersecurity, and online productivity, among others.

Just as consumer rights are protected by contract law and terms of service, the performance of an outsourcing service provider is bound by the key performance indicators (KPIs) detailed in the outsourcing contract.

Because the type of services that are outsourced is varied and broad, such as services relating to information technology, accounting, sales, data entry, and customer support, there is no fixed measure of performance for the output of a service provider. Performance generally depends on the type of services provided. However, a common denominator for measuring performance is customer satisfaction. The customer here can either be an internal stakeholder or an external stakeholder being serviced by the outsourcing provider. Although cost savings are often a key motivator for outsourcing, if the service provider’s performance does not meet expectations, the cost-benefit trade-off may not justify continuing the outsourcing arrangement.

KPIs are best implemented as service levels in the outsourcing contract, with clear definitions covering what is measured, the data source, the party responsible for measurement, the time period and formula, the target and minimum level, and the consequence of a missed target. Remedies may include service credits, corrective action plans within a set time, personal improvement plans (PIPs) to address individual performance issues, and termination rights for repeated failure. A PIP is a structured plan that identifies specific areas for improvement, sets measurable goals, and outlines the actions and timelines needed to achieve them.

In terms of managing and measuring an outsourcing supplier’s performance, the contract terms do not really differ if the outsourcing service is cloud-based. In general, the contract should establish who handles security and day-to-day operations, where data is stored and when it may leave the country, what security standards apply, and the right to audit.

The agreement should also require prompt incident reporting and include service levels expressed in clear, measurable terms. These should cover factors such as service availability, response times, recovery times following an outage, acceptable levels of data loss, scheduled maintenance periods, and procedures for issue escalation. Additionally, it should outline how software updates are deployed, the duration of support for older versions, notice periods for the retirement of features, access to system interfaces, usage limits, and controls governing subcontractors. Pricing models should correspond to actual usage, incorporating agreed caps and service credits where performance targets are not met. An exit plan should ensure the smooth export of data, its secure deletion, and reasonable transitional assistance.

While cloud-based services may influence the manner and speed with which services are delivered – thereby affecting customer satisfaction – they do not fundamentally alter the core contractual terms and conditions governing the outsourcing relationship.

In the Philippines, there are several ways that a foreign company looking to hire Philippine-based staff may initially hire their employees.

The first is through an employer of record (EOR) model. An EOR refers to a third-party Philippine company that puts the staff on their own payroll and manages the HR function on behalf of the foreign company. The EOR charges the foreign company for employee salaries, along with a service fee.

The second is through an independent contractor relationship with the Philippine-based staff. If hiring through an EOR is not an option, the foreign company may also directly engage the staff as independent contractors. This may have employment law compliance issues later on, despite the staff being classified as independent contractors.

The third option involves setting up a Philippine entity, such as a wholly-owned subsidiary, representative office, branch office, regional headquarters, or regional operating headquarters. These different types of company (or special purpose vehicles) have different functions and limitations and the choice would ultimately depend on the type of activity the foreign company would be carrying out in the Philippines. Each type would also have different tax implications and, with the right preparation, even tax exemptions. Therefore, it is important to properly structure the entity of the foreign company and prepare all requirements for a seamless transfer of employees (including setting up a payroll system and managing social contributions).

It is not unusual for a foreign company to start off with either the first or second method. However, as their operations grow and the need for greater control over staff increases, many companies gradually transition to establishing their own Philippine entity. This third method often becomes more cost-effective in the long run, especially with a larger workforce.

The transition to the third method usually involves the migration and transfer of employees from the EOR or as independent contractors to the foreign company’s own Philippine company.

Under Philippine laws, corporations enjoy separate and distinct juridical personalities, and employees have the right to security of tenure. Thus, the transfer of employees from the EOR may require the termination of employees from the EOR and the payment of separation pay, which could be added to the costs charged to the foreign company. However, it is also possible to maintain the employees’ tenure by transferring them to the foreign company’s Philippine entity by recognising their tenure from their EOR employment to the new Philippine entity. Careful legal and procedural handling of these transfers is essential.

When using the EOR model, the arrangement should be structured so that the EOR is clearly acting as the legal employer in the Philippines and not as a contractor of services. This helps avoid any finding of labour-only contracting, which can arise if the foreign company exercises direct control over the employees and the EOR lacks sufficient capital, equipment, or independence. Contracts should clearly define the EOR’s role, reporting lines, and responsibility for payroll, taxes, and social contributions. Where operations transition to a local entity, employee transfers should be carefully documented through termination and rehire or novation, with recognition of tenure if intended, along with the continued granting of benefits and timely release of final pay. It is also prudent to address compliance matters such as permanent establishment risk, restrictions under the Anti-Dummy Law, immigration requirements for foreign managers, and data privacy obligations.

Under current Philippine laws, trade union or workers’ council consultation is not required for outsourcing. Whether negotiations are required or not would depend on the collective bargaining agreement in force between the company and its employees (if any). At present there is only one network of BPO employees called the BPO Industry Employees Network (BIEN) which currently lobbies for the support of legislation concerning the Union Interference Bill, which seeks to strengthen organising unions in the BPO industry.

There is currently no specific law governing consultation or worker councils for outsourcing in the BPO sector, but proposals continue to emerge in Congress aimed at enhancing employee participation and protecting union rights. Monitoring such developments is important, as future legislation could introduce mandatory consultation or notification requirements for outsourcing arrangements.

Hailed as the “call centre capital of the world”, the Philippines continues to be a preferred service provider for offshore outsourcing. In November 2023, the Information Technology-Business Process Management Association of the Philippines (IBPAP) projected a 7% revenue growth rate in the BPO industry for 2024.

There are three important factors to consider with regard to remote working in a BPO company.

First, the Implementing Rules and Regulations of Republic Act No 11165 (“Telecommuting Act”) mandate employers to notify the Department of Labor and Employment of the implementation of telecommuting work through the Establishment Report System. Telecommuting employees (ie, remote working employees) shall be covered by the same applicable company policies and afforded the same set of benefits under the law and existing collective bargaining agreement, if any. In other words, there should be no discrimination against those working remotely.

Second, BPO companies located in economic zones or tax-free zones are not allowed to have 100% remote working arrangements as it will negatively affect whatever fiscal and non-fiscal incentives they may have under existing laws. In 2022, the Fiscal Incentives Review Board (FIRB) of the Department of Finance rejected the requests for extending work-from-home arrangements, and mandated BPOs located in economic zones or tax-free zones to return to on-site duties beginning 1 April 2022. Given the foregoing, BPO companies that continue to implement work-from-home arrangements may encounter greater costs, which can be passed onto their customers.

Third, BPO companies that register with the Board of Investments (rather than with the economic zone authority) are still allowed to have 100% of their employees work remotely.

Remote work remains a highly valued benefit among BPO employees and can be a key factor in attracting and retaining talent. However, maintaining a secure environment for handling customer data is critical. Ensuring strong data privacy compliance, in accordance with Philippine laws, becomes essential for BPOs adopting remote work arrangements, balancing the interests of employees and the security expectations of customers.