REVENUE MEMORANDUM CIRCULAR NO. 61-2021 issued on May 17, 2021 publishes the full text of the Memorandum of Agreement (MOA) between the Bureau of Internal Revenue (BIR) and the Department of Trade and Industry (DTI).
The DTI consents to share with BIR, by means of online access, those personal data orinformation which it collected in the performance of its mandated duties and functions, to be utilized by the BIR exclusively for purposes of assessment, collection and enforcement of national internal revenue taxes and strictly in compliance with the Data Privacy Act and related laws/rules/regulations. Such use shall be limited, non-exclusive, non-transferable, revocable and only for the aforementioned purposes.
The BIR consents to share with DTI, by means of online access, personal data or information
of the taxpayers not otherwise covered by Section 270 of the National Internal Revenue Code (NIRC) of 1997, as amended, and those that are declared or obtainable from the Tax Amnesty Returns and the Statement of Assets, Liabilities and Networth (SALNs), which it collected in the performance of its mandated duties and functions, subject to compliance with Section 4 of National Privacy Commission (NPC) Circular No. 16-02, to be utilized by DTI for validation purposes only. The type of personal data or information to be shared between DTI and BIR, mode of data sharing, frequency, and other operational details are specified in the Technical Annex of the MOA, which shall form as an integral part hereof; Provided that, BIR and DTI shall not share information regarding business, income, estate, secret operation, style of work, apparatus of any manufacturer or producer, or any confidential information regarding the business of the taxpayer, knowledge of which was acquired during the performance of duties.
The operational details of this data sharing agreement shall be updated in a phased-in approach, once infrastructure is available. Provided, that such updates shall be considered amendments to the MOA, which shall be in the form of a written instrument duly executed and signed
by all Parties hereto and executed with the same formality as the MOA. Provided further, that BIR and DTI shall designate and authorize technical representatives to update the operational details. Access to the personal data or information shall be limited to the list of BIR and DTI officers/employees specified in the Technical Annex of the MOA.
The types of processing of the data shall likewise be limited to those specified in the Technical Annex. Any modification to the access list and the types of processing allowed shall require the approval of the Commissioner of InternalRevenue (for BIR) and the Secretary (for DTI). Such modification shall be in the form of a writteninstrument duly executed and signed by the Party approving the modification.BIR and DTI shall implement appropriate security measures, as specified in the TechnicalAnnex, to ensure protection of the personal information of data subjects, including the policy forretention, destruction and disposal of records. Both BIR and DTI warrant to treat any and/or allinformation by both Parties pursuant to the MOA with utmost confidentiality, in accordance with theData Privacy Act, and for validation, tax assessment, collection, and enforcement purposes only.
In the performance of their obligations under the MOA, the Parties shall ensure the privacy and security of any and all personal data and information that the Parties and their officers, employees, or agents may have access to; and shall store, use, process, and dispose the said information in accordance with the Data Privacy Act, its IRR and applicable NPC issuances. Any violation of this clause and any of the provisions of the said law and issuances committed by theaforementioned persons shall be subject to corresponding sanctions, penalties, and/or fines under the said law without prejudice to any other applicable civil and/or criminal liability. This clause shall survive the termination or expiration of the MOA.
The process for filing a complaint for violation of data privacy rights of any data subject shall
be in accordance with the procedures and guidelines provided for by the Data Privacy Act, its IRR, and other relevant laws/rules/regulations. The designated Data Protection Officer and Compliance Officer for Privacy of the DTI and BIR shall be responsible for addressing any information request, or complaint filed by the data subject and/or investigation by the NPC in relation to the MOA.
The data subject may be given access to a copy of the MOA upon written request and for a valid purpose, provided that the Parties may redact or prevent the disclosure of any detail or information that could endanger its computer network or system or expose to harm the integrity, availability or confidentiality of personal data under its control or custody. Such information may include the program, middleware and encryption method in use, as the case may be.
The MOA may be revised, amended or modified only through a written instrument duly executed and signed by all Parties hereto and executed with the same formality as the MOA. The MOA shall take effect upon the signing thereof by the parties’ authorized representatives and shall remain in full force for five (5) years or until mutually abrogated by the parties concerned, without prejudice to entering into a new MOA and a new data sharing agreement.