REVENUE MEMORANDUM CIRCULAR NO. 34-2023 issued on March 17, 2023 publishes the full text of the Data Sharing Agreement (DSA) between the BIR and the Securities and Exchange Commission (SEC) pursuant to Republic Act No. 10173 and the National Privacy Commission (NPC) Circular No. 16-02.
The SEC shall share to the BIR its data on corporations and other registered/licensed entities, including beneficial ownership information. These data may contain Personal Information and Sensitive Personal Information, such as but not limited to the complete name, specific residential address, date of birth, nationality, tax identification number; and percentage of ownership, if applicable, of the incorporators, stockholders, directors, trustees, members, officers, and beneficial owners of registered corporations, partners in a partnership and other persons licensed by the SEC. On the other hand, the SEC may request intelligence information necessary for the performance of its function from the BIR, provided that the request for information does not violate any applicable laws, rules, and regulations.
For the SEC, the Commission Secretary, the Director of the Enforcement and Investor
Protection Department, and the Assistant Director of the Anti-Money Laundering Division of the Enforcement and Investor Protection Department are designated as Data Protection Officers (DPOs) to carry out the DSA. For the BIR, the Deputy Commissioner for Information Systems Group (ISG) is designated as Data Protection Officer to carry out the DSA.
The BIR shall treat the personal data shared by the SEC with the utmost confidentiality
and solely for the furtherance of its lawful mandate. Unless otherwise exempted from the coverage of the Data Privacy Act, the BIR shall also inform the SEC of the following information one (1) week upon the signing of the Agreement:
a. Any personal information processor that will have access to or process the personal
data, including the types of processing it shall be allowed to perform;
b. How the party may use or process the personal data, including, but not limited to,
online access;
c. The remedies available to a data subject, in case the processing of personal data
violates his or her rights, and how these may be exercised;
d. The names and designations of personnel who will be involved in the handling of
personal data, upon request OR the designated Data Protection Officer.
The DSA shall remain valid and binding for five (5) years from the date of signing, unless pre-terminated by either party for reasonable ground, without prejudice to entering into a new data-sharing agreement before or upon the expiration thereof. Pre-termination shall be in writing upon the agreement by both parties.
Upon the termination of the DSA, the personal data shall remain with the BIR unless otherwise instructed and agreed upon by the agencies involved in the DSA. The confidentiality obligations contained in the DSA shall remain in force even after the termination of the Agreement.
Either party will provide the relevant data and/or document to the other party either through electronic upload, electronic mail (e-mail), or personal service, and ensure the security of the Personal Information, Sensitive Personal Information and other confidential information while in transit or while being transmitted through the channels or media authorized under the Agreement.
Each Party shall process Personal Information, Sensitive Personal Information and other confidential information disclosed or transferred to it pursuant to the Agreement in accordance with the methods and other terms and conditions of its privacy notice, statement, or policy that apply to its processing of such personal and sensitive information.
The parties shall establish reasonable and appropriate safeguards and security measures to ensure the confidentiality, integrity, and security of the Personal Information, Sensitive Personal Information and other classified information shared or disclosed by either party to the other party pursuant to the Agreement. The parties shall be responsible for preventing the unauthorized access and use of such Personal Information, Sensitive Personal Information and other classified Information in their respective custody. Unless otherwise exempted under existing law, the parties are likewise prohibited from further sharing or disclosing such Personal Information, Sensitive Personal Information and other classified information to any unauthorized party without the prior written consent of the originating party or the Data Subjects, as appropriate.
The parties shall regularly monitor its compliance with the security measures provided
in the Agreement. If there is a breach in data security affecting Personal Information, Sensitive Personal Information, and other classified information, the party shall notify the Data Protection Officer or any other appropriate officer of the other party in writing, immediately after discovery of such data breach or upon reasonable belief that such data breach has occurred.
Unless applicable laws or regulations allow or require a longer period for retention, the
Personal Information, Sensitive Personal Information and other classified information subject of the Agreement shall be kept and retained by the parties so long as may be necessary for the pursuit of their lawful mandate.
Upon termination of the Agreement, the parties shall, upon instruction of the other party, destroy, delete or return to the latter all Personal Information, Sensitive Personal Information and other classified information that the former received from the latter within thirty (30) days from the effective date of termination, unless the former is mandated or permitted by the applicable law to maintain a copy thereof for a longer period and subject to the internal policy of the BIR on destruction and deletion.
Personal Information, Sensitive Personal Information and other classified information in the custody of a Party that requires disposal shall be disposed of and/or discarded by such Party in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other person or entity.
The laws of the Philippines shall govern all matters arising out of relating to the DSA.
Any dispute arising in the course of the execution and performance of the DSA shall be settled amicably through negotiations by the parties and/or shall make every effort to amicably resolve such dispute of difference by mutual consultation. If after thirty (30) days, no amicable settlement is reached, the parties undertake to submit their respective claims in accordance with
Rules on Alternative Dispute Resolution (ADR) for Disputes between National Government Agencies.
Each Party shall comply with the Data Privacy Act of 2012 and all other applicable data protection laws and issuances. The Personal data subject whose right is violated and/or affected may exercise his/her rights provided for by the Data Privacy Act, its Implementing Rules and Regulations (IRR), and other NPC issuances.
A copy of the Agreement may be obtained by a Personal data subject from the Office of the DPO of the Parties subject to processes and policies by the Parties governing such
request, and prior information to the party. The Parties may redact or prevent the disclosure of any detail or information that could endanger its computer network or system, or expose to harm the integrity, availability, or confidentiality of personal data under its control or custody. Such information may include the program, web services, and encryption method in use.