Transferring Customer Databases: Aligning Data Privacy Act Compliance with Intellectual Property Acquisitions in the Philippines

Introduction: why customer databases raise both deal value and legal risk

Foreign buyers often treat a Philippine company’s customer database, user lists, and market analytics as high-value assets that can be purchased, assigned, or licensed like other intellectual property (IP). In the Philippines, however, those assets frequently contain personal information (and sometimes sensitive personal information), so the acquisition must also comply with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (2016). A buyer that focuses only on IP assignment can end up with unusable data, regulatory exposure, and post-closing operational delays.

Governing law: what applies to foreign buyers acquiring Philippine customer data

The main statute is Republic Act No. 10173 (Data Privacy Act of 2012). It can apply even when the buyer is offshore because the law has extraterritorial application where the processing relates to a Philippine citizen or resident and the entity has a link to the Philippines (for example, doing business in the Philippines or having a branch/affiliate with access to the data). This is expressly recognized under Section 6 of the Data Privacy Act (2012).

The Data Privacy Act’s Implementing Rules and Regulations (2016) supply operational requirements on lawful processing, outsourcing/data processing contracts, and accountability for outsourced or transferred data. These are central in M&A and IP acquisitions involving databases.

Customer databases as “assets” vs. “personal data”: separating IP from data protection duties

A “customer database” deal usually includes two different things:

(1) IP/ownership in the database structure and analytics outputs — e.g., database schema, segmentation models, scoring methods, dashboards, and proprietary market analytics. These may be transferred as part of an IP sale or assignment under commercial documents.

(2) The underlying dataset containing customer/user records — names, emails, phone numbers, purchase histories, device identifiers, account activity, and similar information. If the dataset identifies individuals, it is regulated personal data under the Data Privacy Act and may only be collected, used, disclosed, or transferred under lawful grounds and with adequate safeguards.

Step 1 — Classify the data: personal information vs. sensitive personal information

Data classification determines what lawful basis is required and how strict the controls must be. The Supreme Court has repeatedly emphasized that sensitive personal information enjoys a “special regime of protection,” and that its processing is generally prohibited unless a specific legal allowance applies.

Common data types in customer/user lists

The table below is a starting point for due diligence; actual classification depends on the fields included and how they are used.

Table: Typical fields in customer databases and likely classification

Personal information (generally allowed if a lawful basis exists): name, email address, mobile number, delivery address, purchase history, preferences, customer service tickets (unless privileged), loyalty ID (if not a government ID).

Sensitive personal information (higher protection; generally prohibited unless an exception applies):government-issued identifiers and similar data. The Supreme Court recognized that Taxpayer Identification Numbers (TINs) are sensitive personal information, and disclosure rules must satisfy stricter standards (Philippine Stock Exchange, Inc., et al. v. Secretary of Finance, et al., 2022).

Step 2 — Identify a lawful basis for the transfer and the buyer’s intended use

Under the IRR, processing of personal information is allowed so long as it is not prohibited by law and one of the lawful criteria is met. The IRR recognizes several common grounds, including consent, contractual necessity, legal obligation, vital interests, public order/safety, statutory mandate, and legitimate interests (IRR of the Data Privacy Act, 2016, Rule V, Section 21).

What foreign buyers usually try to rely on (and where they fail)

Consent. Consent must be freely given, specific, and informed, and must be evidenced by written, electronic, or recorded means (IRR, 2016, Rule I, Section 3). In acquisitions, consent often becomes problematic if the original consent language did not clearly cover disclosure to a buyer or post-closing use for new purposes.

Contractual necessity. This may apply where data processing is required to perform a contract with the user (IRR, 2016, Rule V, Section 21). In an asset sale, however, the buyer typically becomes a new controller and may intend additional uses not necessary to perform the original contract.

Legitimate interests. This may be invoked where the processing is necessary for the controller’s legitimate interests and is not overridden by the data subject’s fundamental rights (IRR, 2016, Rule V, Section 21). In practice, buyers should be ready to justify necessity, proportionality, and safeguards, and to document that the planned use is reasonably expected by users.

Sensitive personal information: higher bar and stricter conditions

Sensitive personal information is generally prohibited unless an exception applies. The Data Privacy Act provides exceptions, including where processing is allowed under existing laws and regulations that themselves provide guarantees for protection, among others. The Supreme Court held that when an issuance requires disclosure of sensitive personal information, the issuance itself must contain protective guarantees; it is not enough to point to other laws in general (Philippine Stock Exchange, Inc., et al. v. Secretary of Finance, et al., 2022).

Step 3 — Decide the correct transfer model: data sharing vs. outsourcing

The IRR distinguishes data sharing from outsourcing. “Data sharing” is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or processor (IRR, 2016, Rule I, Section 3). Outsourcing is treated differently because the processor acts on the controller’s instructions.

Why this matters in M&A and IP acquisitions

Asset deal with database transfer typically looks like data sharing (seller discloses/transfers data to the buyer as a new controller). That raises questions about lawful basis, transparency, and whether re-consent or notice is required depending on the original privacy terms and the buyer’s planned purposes.

Transitional services (seller continues hosting/processing for the buyer post-closing) typically looks like outsourcingand must be governed by a compliant processing agreement.

Step 4 — Put the required contracts in place (especially for transitional processing)

If the seller or another vendor will process personal data on the buyer’s behalf, the IRR requires that processing by a personal information processor be governed by a contract or legal act binding the processor to the controller. The contract must specify subject matter, duration, purpose, categories of data, controller rights/obligations, and the location of processing (IRR, 2016, Rule X, Section 44).

Minimum clauses foreign buyers should insist on for outsourcing arrangements

The IRR requires that the processor, among others, must: (a) process only upon documented instructions (including cross-border transfers unless authorized by law), (b) impose confidentiality, (c) implement security measures and comply with the Act/IRR, (d) not engage another processor without prior instruction, and (e) delete or return personal data at the end of the services unless retention is authorized (IRR, 2016, Rule X, Section 44).

Step 5 — Understand accountability: the buyer cannot “contract away” responsibility

The IRR states that the personal information controller is responsible for personal data under its control or custody, including data outsourced or transferred to a processor or third party, whether domestic or international. The controller must use contractual or other reasonable means to ensure a comparable level of protection (IRR, 2016, Rule XII, Section 50). This is important for foreign buyers using offshore cloud hosting or regional analytics hubs after closing.

Step 6 — Governance, due diligence, and “clean data” delivery

A database purchase should be conditioned on whether the data is lawfully collected and still usable for the buyer’s intended purposes. The following diligence points reduce post-closing risk:

Checklist (deal diligence and closing conditions):

1) Confirm what the seller told users (privacy notice terms, consent language, retention statements, and sharing disclosures).

2) Confirm whether the dataset contains sensitive personal information (e.g., government identifiers) and whether it is truly necessary to transfer it.

3) Confirm whether the seller had a lawful basis for collection and prior disclosures, and whether new purposes are planned post-closing.

4) Confirm whether there are processors/sub-processors (CRM, cloud, email marketing platforms) requiring compliant agreements consistent with Rule X, Section 44.

5) Require a data map and a data inventory as deliverables, including the location of storage and processing.

Typical scenarios and how they are commonly structured

Scenario A: buyer acquires a Philippine e-commerce app and wants to email users post-closing. The buyer should verify whether marketing communications were covered by prior disclosures, and whether the buyer’s identity and new marketing purposes require refreshed consent or at least updated transparency depending on the original notice and the lawful basis used (consent vs. legitimate interests) (IRR, 2016, Rule I, Section 3; Rule V, Section 21).

Scenario B: buyer acquires market analytics and wants raw data too. Where possible, transfer de-identified or aggregated datasets for analytics and limit transfer of directly identifying fields. This reduces the volume of personal data processed and the risk that sensitive personal information is unnecessarily included.

Scenario C: transitional services where the seller continues operating the CRM for 3–6 months. Use an outsourcing agreement consistent with the mandatory elements and processor obligations under Rule X, Section 44, and document instructions (including cross-border access) to avoid uncontrolled processing.

Handling disclosures compelled by regulation: strict safeguards are required for sensitive data

If the transaction involves compliance-driven disclosures (for example, disclosures to regulators, banks, or tax authorities), note that the Supreme Court has invalidated regulations requiring disclosure of sensitive personal information when they failed to provide protective guarantees within the issuance itself (Philippine Stock Exchange, Inc., et al. v. Secretary of Finance, et al., 2022). This principle reinforces that a buyer’s compliance plan should not rely on vague references to other laws; controls and safeguards must be clearly defined in the relevant instruments and internal governance.

Privacy and confidentiality limits recognized by the Supreme Court

Data transfers may also intersect with constitutional privacy interests and professional confidentiality. The Supreme Court has ruled that requirements compelling disclosure of client-related details by self-employed professionals can be an unreasonable intrusion into privacy and confidentiality when unsupported by adequate authority (Integrated Bar of the Philippines, et al. v. Purisima, et al., 2023). For buyers, the lesson is that “database value” is not a blanket justification—collection and disclosure must be lawful, necessary, and bounded.

Conclusion: deal-ready steps for lawful acquisition of Philippine user lists and analytics

A foreign buyer can lawfully acquire and use a Philippine company’s customer database if the transaction is structured around (1) correct data classification, (2) a defensible lawful basis for the transfer and intended post-closing use, (3) proper contracting for any processor/outsourcing relationships, and (4) documented accountability and safeguards, including for cross-border processing.

As deal terms, buyers should (a) require representations and warranties on lawful collection and disclosures, (b) insist on a usable lawful basis for transfer and intended uses, (c) segregate or minimize sensitive personal information, (d) require IRR-compliant processing agreements for transitional and vendor processing, and (e) plan user-facing notices/updates early so operations can proceed immediately after closing.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.