The applicability factor "Applicability Based on Contract Concluded in Jurisdiction" is used to determine the scope of data protection law in the Philippines. This factor extends the jurisdiction of Philippine data protection law to entities that enter into contracts within the country, even if the entity or data processing occurs outside the Philippines. ## Relevant Provision(s) The relevant provisions are found in: 1. Data Privacy Act of 2012 (DPA), Section 6(b)(1): "This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if: (b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following: (1) A contract is entered in the Philippines;" 2. Implementing Rules and Regulations, Section 4(d)(2): "The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if: d. The act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following: 2. A contract is entered in the Philippines;" ## Analysis of Provisions Both provisions establish that the Philippine data protection law applies to entities that enter into contracts within the Philippines. The DPA provision specifically mentions that this applies even if the processing occurs outside the Philippines, as long as it involves personal information about Philippine citizens or residents. The inclusion of this factor in the law reflects the lawmakers' intent to protect Philippine citizens and residents from potential data privacy breaches, regardless of where the data processing occurs. By extending the law's reach to entities that enter into contracts in the Philippines, the legislation aims to ensure that these entities are held accountable under Philippine law for their data processing activities. This approach recognizes the increasingly global nature of data processing and attempts to establish a clear jurisdictional link based on contractual relationships formed within the country. It also serves to prevent entities from circumventing Philippine data protection laws by simply moving their data processing operations offshore while still conducting business within the country. ## Implications The inclusion of this applicability factor has several important implications: 1. Extended jurisdiction: Entities that enter into contracts in the Philippines are subject to Philippine data protection law, even if they are foreign companies or conduct data processing outside the country. This significantly expands the reach of Philippine data protection regulations. 2. Compliance requirements: Companies entering into contracts in the Philippines must ensure compliance with Philippine data protection laws, regardless of where their data processing activities occur. This may require adapting their data handling practices and policies to meet Philippine standards. 3. Potential extraterritorial enforcement: The Philippine data protection authorities may attempt to enforce the law against foreign entities that have entered into contracts in the Philippines, even if these entities have no physical presence in the country. 4. Contractual considerations: Entities doing business in the Philippines should be aware that entering into contracts within the country could subject them to Philippine data protection law. This may influence decisions about where to conclude contracts or how to structure business relationships. Example cases where Philippine data protection law would apply: - A multinational company enters into a service contract with a Philippine client in Manila, even though the data processing related to the service occurs in another country. - An offshore data processing company signs an agreement with a Philippine business partner in Cebu to handle customer data, despite conducting all data processing activities abroad. In both cases, the entities would be subject to Philippine data protection law due to the contracts being entered into within the Philippines, regardless of where the actual data processing takes place.