Corporate Governance &
Oversight Framework

This document establishes the corporate governance and oversight framework for the Philippine Representative Office ("RO") of a Netherlands-registered parent company ("the Company"). It addresses the unique compliance challenges arising from operating under two concurrent regulatory jurisdictions — the Republic of the Philippines and the Kingdom of the Netherlands / European Union.

A Representative Office represents the lightest corporate footprint available to a foreign company in the Philippines. However, this limited scope does not diminish the governance obligations. The RO is subject to Philippine corporate law, labour regulations, data privacy requirements, and anti-corruption legislation, while simultaneously falling under Dutch corporate governance standards, EU data protection law, and international anti-bribery conventions.

Failure to maintain robust governance across both jurisdictions exposes the Company to regulatory sanctions, criminal prosecution, financial penalties, and reputational damage in multiple countries.

Under Philippine law, a Representative Office is authorised to perform the following activities exclusively:

• Promoting and marketing the parent company's products and services
• Conducting market research, feasibility studies, and business intelligence gathering
• Acting as a liaison and communication channel between the parent company and Philippine-based clients, partners, and stakeholders
• Quality control and quality assurance activities on behalf of the parent company
• Facilitating coordination and information dissemination

Legal Basis: Revised Corporation Code of the Philippines (RA 11232), SEC Memorandum Circulars

Specifically prohibited activities include:

• Entering into commercial contracts or executing sales transactions
• Issuing invoices, collecting payments, or receiving revenue from Philippine sources
• Bidding on or participating in government or private procurement processes
• Offering or providing services for compensation
• Engaging in manufacturing, processing, or production activities

The RO must be registered with the following Philippine agencies:

Agency	Requirement	Purpose
Securities and Exchange Commission (SEC)	Licence to operate as RO	Primary registration and annual compliance
Bureau of Internal Revenue (BIR)	Tax Identification Number (TIN)	Tax filing obligations (withholding taxes)
Local Government Unit (LGU)	Business permit / Mayor's permit	Local operating authority
Social Security System (SSS)	Employer registration	Employee social security contributions
Philippine Health Insurance Corp (PhilHealth)	Employer registration	Employee health insurance contributions
Home Development Mutual Fund (Pag-IBIG)	Employer registration	Employee housing fund contributions
National Privacy Commission (NPC)	Registration of data processing systems	Data privacy compliance

Securities and Exchange Commission (SEC)

• Annual Reporting: Submission of General Information Sheet (GIS) and Audited Financial Statements within the prescribed deadlines
• Minimum Annual Remittance: The parent company must remit a minimum of USD $30,000 per annum to fund the RO's operations. Proof of inward remittance must be maintained and reported
• Resident Agent: A designated Resident Agent must be appointed and registered with the SEC, authorised to receive legal notices and summons on behalf of the RO
• Activity Compliance: The RO must demonstrate that its activities remain within the permitted scope at all times

Bureau of Internal Revenue (BIR)

• Monthly and quarterly withholding tax returns on employee compensation
• Annual information returns
• Compliance with documentary stamp tax requirements where applicable
• Maintenance of proper books of accounts and receipts

• Dutch Corporate Governance Code: While primarily applicable to listed companies, the principles of transparent and accountable management extend to all international operations. The parent board retains ultimate responsibility for the conduct of the Philippine RO
• Dutch Civil Code (Book 2): Directors of the parent company have a duty of care that extends to oversight of foreign operations
• Transfer Pricing Documentation: All financial flows between the parent company and the RO must comply with Dutch transfer pricing regulations and OECD Transfer Pricing Guidelines
• UBO Registration: Ultimate Beneficial Ownership transparency requirements under Dutch law apply to all controlled entities and offices
• EU Directive Compliance: Applicable EU directives on corporate sustainability reporting, anti-money laundering, and whistleblower protection extend to international operations

The following governance structure is recommended:

Role	Responsibility	Reports To
Parent Company Board	Ultimate oversight of all international operations including the Philippine RO	Shareholders
Designated Board Member / Committee	Direct oversight of the Philippine RO; approves governance policies, reviews compliance reports	Board
RO Country Representative / Head	Day-to-day management; ensures local compliance; implements parent company policies	Designated Board Member
Resident Agent	Legal representative for SEC and regulatory purposes	RO Head
Compliance Officer (may be external)	Monitors regulatory compliance; manages compliance calendar; reports issues	RO Head & Parent Compliance
Data Protection Officer	Ensures data privacy compliance under both DPA and GDPR	RO Head & Parent DPO

All locally hired employees of the RO are covered by the Labor Code of the Philippines (Presidential Decree No. 442), as amended, and all subsequent labour legislation. The RO is considered an employer under Philippine law and must comply fully.

Employment Contracts

• All employees must have written employment contracts specifying terms of employment, compensation, benefits, job description, and grounds for termination
• Contracts must comply with minimum standards set by the Labor Code — any provision below statutory minimums is void
• Probationary employment may not exceed six (6) months; failure to provide written performance standards renders the employee regular from day one
• After the probationary period, employees attain regular (permanent) status with full security of tenure protections

Types of Employment

Type	Duration	Key Provisions
Regular	Indefinite	Full security of tenure; can only be terminated for just or authorised causes
Probationary	Up to 6 months	Must have written performance standards; auto-regularises if not terminated properly
Project-based	Specific project	Must be for a defined project with a clear scope and end date
Fixed-term	Defined period	Permitted only when the nature of work justifies it; cannot be used to circumvent regularisation

Statutory Compensation Requirements

Requirement	Details
Minimum Wage	Set by Regional Tripartite Wages and Productivity Boards; varies by region (NCR rates are highest). Reviewed annually.
13th Month Pay	Mandatory. Equivalent to 1/12 of total basic salary earned during the calendar year. Must be paid on or before 24 December.
Overtime Pay	Plus 25% of hourly rate for ordinary days; plus 30% for rest days, special days, and holidays
Night Shift Differential	Plus 10% for work between 10:00 PM and 6:00 AM
Holiday Pay	Regular holidays: 200% of daily rate. Special non-working days: plus 30% if worked
Service Incentive Leave	Minimum 5 days paid leave per year for employees with at least 1 year of service
Maternity Leave	105 days paid (RA 11210 — Expanded Maternity Leave Law); additional 15 days for solo parents
Paternity Leave	7 days paid (RA 8187)
Solo Parent Leave	7 days paid (RA 8972)
Violence Against Women Leave	10 days paid (RA 9262)

Mandatory Government Contributions

Fund	Employer Share	Employee Share	Purpose
SSS (Social Security System)	9.5% of salary	4.5% of salary	Retirement, disability, sickness, maternity, death benefits
PhilHealth	2.25% of salary	2.25% of salary	National health insurance
Pag-IBIG (HDMF)	2% of salary (max ₱200)	1-2% of salary (max ₱200)	Housing loan fund and savings

Note: Contribution rates are subject to periodic adjustment. Current rates should be verified with each agency.

Philippine labour law provides strong security of tenure. Employees may only be terminated for legally recognised causes, with strict procedural requirements.

Just Causes (Employee Fault — Article 297)

• Serious misconduct or wilful disobedience
• Gross and habitual neglect of duties
• Fraud or wilful breach of trust
• Commission of a crime against the employer or co-employees
• Other analogous causes

Procedure: Two written notices required — (1) notice of charges with opportunity to explain, and (2) notice of decision after hearing. No separation pay required.

Authorised Causes (Business Reasons — Articles 298-299)

• Installation of labour-saving devices
• Redundancy
• Retrenchment to prevent losses
• Closure or cessation of business
• Disease not curable within 6 months

Procedure: 30 days written notice to the employee and the Department of Labour and Employment (DOLE). Separation pay required as follows:

Cause	Separation Pay
Redundancy / Labour-saving devices	One (1) month pay per year of service, or one month pay — whichever is higher
Retrenchment / Closure	One-half (½) month pay per year of service, or one month pay — whichever is higher

• Normal Working Hours: 8 hours per day, 48 hours per week maximum (6 working days)
• Meal Break: Minimum 60 minutes, not compensable
• Rest Day: Minimum one (1) rest day per week (24 consecutive hours)
• Occupational Safety: Compliance with the Occupational Safety and Health Standards Act (RA 11058) — including workplace safety programmes, incident reporting, and provision of safe working conditions
• Anti-Sexual Harassment: Compliance with the Safe Spaces Act (RA 11313) and the Anti-Sexual Harassment Act (RA 7877) — the RO must have a Committee on Decorum and Investigation
• Mental Health: Compliance with the Mental Health Act (RA 11036) — workplace policies promoting mental health and access to services

Any foreign nationals employed by the RO require:

• Alien Employment Permit (AEP) from DOLE — must be obtained before the foreign employee begins work
• Special Resident Visa or 9(g) Pre-Arranged Employment Visa from the Bureau of Immigration
• The RO must demonstrate that the position cannot be filled by a qualified Filipino national
• AEPs are typically valid for 1-5 years and must be renewed

The Data Privacy Act of 2012 (DPA) and its Implementing Rules and Regulations govern the processing of personal data in the Philippines. The RO, as a personal information controller and/or processor, must comply fully.

Core Principles

• Transparency: Data subjects must be informed about the nature, purpose, and extent of data processing
• Legitimate Purpose: Processing must be compatible with a declared, specified, and legitimate purpose
• Proportionality: Processing must be adequate, relevant, suitable, necessary, and not excessive in relation to the declared purpose

Key Obligations

Obligation	Details
Registration	Register data processing systems with the National Privacy Commission (NPC) if processing sensitive personal information of at least 1,000 individuals, or employing at least 250 persons
Data Protection Officer (DPO)	Appoint a DPO who is accountable for compliance. The DPO's contact details must be registered with the NPC
Privacy Impact Assessment	Conduct PIAs for processes involving personal and sensitive personal information
Consent	Obtain informed consent for processing, with specific requirements for sensitive personal information (health, government IDs, etc.)
Data Subject Rights	Facilitate rights to access, correction, erasure, objection, data portability, and filing complaints
Security Measures	Implement organisational, physical, and technical security measures appropriate to the nature of the data
Breach Notification	Notify the NPC and affected data subjects within 72 hours of discovery of a personal data breach involving sensitive personal information
Data Sharing Agreements	Execute written data sharing agreements before sharing personal data with third parties

Penalties Under the DPA

• Imprisonment of 1 to 6 years and fines of ₱500,000 to ₱5,000,000 depending on the offence
• Unauthorised processing, negligent handling, improper disposal, and breach of confidentiality are all criminal offences
• The NPC may issue compliance and enforcement orders, including cease-and-desist orders and temporary or permanent bans on processing

As the RO of a Dutch (EU-based) parent company, data processing activities are also subject to the GDPR where:

• Personal data of EU-based individuals (employees, contacts, stakeholders of the parent company) is processed by the Philippine RO
• The Philippine RO acts as a processor on behalf of the Dutch parent (the controller)
• Data flows between the Philippines and the Netherlands/EU

Key GDPR Implications

• Lawful Basis: All processing must have a documented lawful basis (consent, contract, legitimate interest, legal obligation, vital interest, or public task)
• Data Processing Agreement: A GDPR-compliant Data Processing Agreement (DPA) must be executed between the Dutch parent and the Philippine RO
• Data Protection Impact Assessment (DPIA): Required for high-risk processing activities
• Records of Processing Activities (RoPA): Maintained by both controller and processor
• Data Subject Rights: GDPR rights (access, rectification, erasure, restriction, portability, objection) must be facilitated for EU data subjects whose data is processed in the Philippines

GDPR Penalties

• Up to €20 million or 4% of global annual turnover — whichever is higher
• Penalties are assessed against the Dutch parent company as the controller

Philippines → EU (Dutch Parent)

• Permitted under the DPA provided the receiving country has adequate data protection standards (the EU/Netherlands meets this threshold)
• Data sharing agreements should be in place

EU → Philippines (RO)

• Requires appropriate safeguards under GDPR Article 46, as the Philippines lacks an EU adequacy decision
• Standard Contractual Clauses (SCCs) — the most common mechanism; must use the European Commission's approved clauses (June 2021 version)
• Binding Corporate Rules (BCRs) — an alternative for intra-group transfers, though more complex to implement
• A Transfer Impact Assessment (TIA) should be conducted to evaluate the Philippine legal framework's impact on data protection

The RO must implement the following:

1. Privacy Management Programme — Documented policies and procedures covering all aspects of data processing
2. Data Protection Officer — Appointed and registered with the NPC; acts as liaison for both DPA and GDPR matters
3. Privacy Notices — For employees, contacts, and any individuals whose data is processed
4. Consent Mechanisms — Compliant with both DPA and GDPR requirements
5. Data Processing Agreement — Between the Dutch parent and the Philippine RO, incorporating GDPR Article 28 requirements and SCCs
6. Incident Response Plan — Procedures for breach detection, assessment, containment, notification (72 hours to NPC; 72 hours to EU supervisory authority via parent company), and remediation
7. Employee Training — Regular data privacy training for all RO staff
8. Vendor Management — Due diligence and data processing agreements with all third-party service providers
9. Data Retention Policy — Defined retention periods aligned with both Philippine and Dutch/EU requirements
10. Annual Privacy Impact Assessment — Review and update of data processing activities and risk assessments

The Philippines has a comprehensive anti-corruption legal framework. The following laws are directly relevant to the RO's operations:

Republic Act No. 3019 — Anti-Graft and Corrupt Practices Act

• Prohibits corrupt practices by public officers, including:
• Persuading, inducing, or influencing a public officer to perform an act constituting a violation of rules and regulations
• Directly or indirectly requesting, receiving, or agreeing to receive any gift, present, share, percentage, or benefit for the official's intervention in any transaction
• Causing undue injury to any party, including the Government, through manifest partiality, evident bad faith, or gross inexcusable negligence
• Critically: RA 3019 applies to both the public officer and the private individual who participates in the corrupt act — the RO and its employees can be held liable
• Penalties: Imprisonment of 6-15 years, perpetual disqualification from public office, and forfeiture of illegally obtained benefits

Revised Penal Code — Bribery Provisions (Articles 210-212)

• Direct Bribery (Art. 210): Public officer who agrees to perform or refrain from performing an act in connection with official duties in exchange for gifts/promises
• Indirect Bribery (Art. 211): Public officer who accepts gifts by reason of their office
• Corruption of Public Officials (Art. 212): Any person who offers or gives gifts/promises to a public officer — this directly applies to the RO and its staff

Republic Act No. 6713 — Code of Conduct and Ethical Standards for Public Officials

• Establishes norms of conduct for government officials and employees
• Restricts the acceptance of gifts by public officials — gifts exceeding nominal value are generally prohibited
• Relevant when the RO interacts with government agencies (SEC, BIR, DOLE, LGU, Immigration)

Republic Act No. 9160 — Anti-Money Laundering Act (as amended)

• While primarily targeting financial institutions, the AMLA covers proceeds of corruption offences
• Relevant if the RO's financial transactions could be linked to corrupt activities

The Dutch parent company — and by extension its Philippine RO — is subject to Dutch criminal law regarding corruption, which has extraterritorial reach:

Dutch Criminal Code (Wetboek van Strafrecht)

• Article 177: Active bribery of Dutch public officials — offering, promising, or giving a gift or service to a public official
• Article 177a: Active bribery of foreign public officials — this is the key provision. Bribing a Philippine government official by a Dutch company or its representatives is a criminal offence under Dutch law, prosecutable in the Netherlands
• Article 328ter: Commercial (private-to-private) bribery
• Penalties: Up to 6 years imprisonment and/or fines up to €900,000 for individuals; up to €9,000,000 or 10% of annual turnover for legal entities

Extraterritorial Application

• Dutch anti-corruption law applies to acts committed anywhere in the world by Dutch nationals, residents, and Dutch-registered entities
• Prosecution can occur in the Netherlands even if the corrupt act was committed entirely in the Philippines
• The Dutch Public Prosecution Service (Openbaar Ministerie) actively investigates foreign bribery cases

• OECD Anti-Bribery Convention: The Netherlands is a signatory. The Convention requires member states to criminalise bribery of foreign public officials in international business transactions
• United Nations Convention Against Corruption (UNCAC): Both the Netherlands and the Philippines are parties. Provides a framework for prevention, criminalisation, international cooperation, and asset recovery
• EU Anti-Corruption Directives: Applicable to the Dutch parent, covering both public and private sector corruption

The RO must implement a comprehensive Anti-Corruption and Anti-Bribery Policy, approved by the parent company board, covering at minimum:

Policy Area	Requirements
Gifts & Hospitality	• Clear monetary thresholds for permissible gifts (recommended: nominal value only, e.g., ₱1,000 / €20 maximum) • Pre-approval required for any gift, entertainment, or hospitality offered to or received from government officials • Mandatory gift register maintained by the Compliance Officer • Absolute prohibition on cash gifts
Facilitation Payments	• Strictly prohibited — even where local practice may normalise them • Facilitation payments are illegal under both Philippine and Dutch law • Staff must report any requests for facilitation payments immediately
Government Interactions	• All meetings with government officials must be logged • No commitments, promises, or agreements may be made to government officials without written authorisation • Use of intermediaries or agents for government dealings requires enhanced due diligence
Third-Party Due Diligence	• Anti-corruption due diligence on all agents, consultants, and service providers • Anti-corruption clauses in all third-party contracts • Ongoing monitoring of third-party relationships
Political Contributions & Donations	• No political contributions of any kind without parent company board approval • Charitable donations must be verified as legitimate and not a disguised payment to a government official or political entity
Whistleblower Protection	• Confidential reporting mechanism accessible to all RO staff • Protections against retaliation for good-faith reports • Aligned with the EU Whistleblower Directive (2019/1937) as implemented in the Netherlands • Reports must be investigated and documented
Training	• Mandatory anti-corruption training for all RO staff upon hiring and annually • Enhanced training for staff in roles involving government interaction, procurement, or financial transactions • Training records must be maintained

Although the RO does not engage in commercial transactions, the following activities present elevated corruption risk:

Activity	Risk	Mitigation
SEC licence renewal and compliance filings	Requests for "expediting fees"	Document all interactions; use authorised representatives only
BIR tax compliance and audits	Requests for unofficial payments to resolve assessments	Engage reputable tax advisors; escalate any irregular requests
Immigration and visa processing for foreign staff	Facilitation payments to expedite processing	Use legitimate expediting channels; budget for standard processing times
Local Government Unit (LGU) permits and clearances	Requests for unofficial fees or "donations"	Verify all fees against published schedules; report discrepancies
Engagement of local agents, consultants, or fixers	Agents making corrupt payments on the RO's behalf	Strict due diligence; anti-corruption contractual clauses; monitoring

Internal Financial Controls

• All expenditures above a defined threshold (recommended: ₱50,000 / €800) require dual authorisation
• Bank account signatories must include at least two authorised persons, with parent company oversight
• Monthly financial reporting to the parent company, including reconciliation of remittances received and expenditures incurred
• Annual external audit by a Philippine-accredited audit firm, with reports submitted to both the SEC and the parent company
• Petty cash fund with documented approval and reconciliation procedures

Transfer Pricing

• All remittances from the Dutch parent to the Philippine RO must be documented with clear business purpose
• Transfer pricing documentation must comply with OECD Transfer Pricing Guidelines and both Dutch and Philippine transfer pricing regulations
• The arm's length principle applies — the RO's funding should reflect the actual cost of its permitted activities
• Maintain contemporaneous documentation to defend positions in the event of a tax audit in either jurisdiction
• Annual review of transfer pricing positions by qualified tax advisors familiar with both Dutch and Philippine requirements

Risk	Likelihood	Impact	Consequence	Mitigation
Engaging in income-generating activity	Medium	Critical	SEC licence revocation; fines; criminal liability	Staff training; activity monitoring; legal review of all arrangements
Failure to remit USD $30,000 annually	Low	High	SEC non-compliance; risk of closure	Automated remittance scheduling; compliance calendar tracking
Labour law violations	Medium	High	DOLE penalties; employee lawsuits; reputational damage	Local legal counsel review of all employment practices; regular compliance audits
Data privacy breach	Medium	Critical	Criminal penalties under DPA; fines up to €20M under GDPR; reputational damage	Privacy management programme; DPO appointment; incident response plan; staff training
Corruption / bribery incident	Medium	Critical	Criminal prosecution in Philippines and Netherlands; imprisonment; fines; debarment	Anti-corruption policy; training; whistleblower mechanism; third-party due diligence
Transfer pricing non-compliance	Low	High	Tax adjustments; double taxation; penalties in both jurisdictions	Annual transfer pricing documentation; qualified tax advisors
Inadequate parent company oversight	Medium	High	Board liability under Dutch law; systemic compliance failures	Structured reporting lines; quarterly governance reviews; compliance dashboards

Monthly

Deadline	Obligation	Agency
10th	Withholding tax remittance (BIR Form 1601-C)	BIR
15th	SSS contribution remittance	SSS
15th	PhilHealth contribution remittance	PhilHealth
15th	Pag-IBIG contribution remittance	Pag-IBIG
Monthly	Financial report to parent company	Internal

Quarterly

Deadline	Obligation	Agency
Last day of month following quarter	Quarterly withholding tax return (BIR Form 1601-EQ)	BIR
Quarterly	Governance and compliance report to parent company board	Internal

Annual

Deadline	Obligation	Agency
January 20	Business permit renewal	LGU
January 31	Annual information return of withholding taxes (BIR Form 1604-CF)	BIR
April 15	Annual income tax return (if applicable)	BIR
Within 30 days of anniversary	General Information Sheet (GIS)	SEC
Within 120 days of fiscal year end	Audited Financial Statements	SEC
Annual	Proof of minimum USD $30,000 inward remittance	SEC
Annual	NPC registration renewal / update	NPC
Annual	Anti-corruption training for all staff	Internal
Annual	Privacy impact assessment review	Internal
Annual	Transfer pricing documentation review	Internal / Tax Advisors
Annual	Comprehensive governance audit	Internal / External Auditors

1. Appoint a qualified Resident Agent and RO Head with genuine understanding of Philippine corporate, labour, and regulatory law — not a nominee arrangement
2. Engage reputable local counsel and audit firm — Philippine regulatory nuances require experienced local expertise. Retain both a law firm and a SEC-accredited auditing firm
3. Implement this governance manual as a formal, board-approved document, with annual reviews and updates
4. Conduct annual compliance audits — both financial and operational — with results reported directly to the parent company board
5. Appoint a Data Protection Officer with dual DPA/GDPR competence; register with the NPC
6. Implement a robust anti-corruption programme including policy, training, gift registers, whistleblower mechanism, and third-party due diligence
7. Execute all required agreements — Data Processing Agreement (GDPR-compliant with SCCs), employment contracts, and anti-corruption clauses in third-party contracts
8. Train all Philippine staff on anti-corruption, data privacy, labour rights, and the scope limitations of the RO upon hiring and annually thereafter
9. Maintain meticulous documentation demonstrating that the RO is not generating income — this is the single most critical compliance risk
10. Review the RO structure periodically — if business activities expand beyond liaison and promotion, the office may need to convert to a branch office or subsidiary, which carries different legal and tax obligations
11. Establish a compliance calendar with automated reminders to ensure no filing deadlines are missed
12. Budget appropriately for compliance — the cost of proper governance (legal counsel, audit, training, DPO) is significantly less than the cost of non-compliance

The following appendices should be developed and maintained alongside this framework:

• Appendix A: Anti-Corruption and Anti-Bribery Policy (detailed standalone policy)
• Appendix B: Data Privacy Management Programme
• Appendix C: Data Processing Agreement (GDPR Article 28 compliant, with SCCs)
• Appendix D: Employee Handbook (Philippine labour law compliant)
• Appendix E: Whistleblower Policy and Procedures
• Appendix F: Gift and Hospitality Register Template
• Appendix G: Third-Party Due Diligence Checklist
• Appendix H: Incident Response Plan (Data Breach)
• Appendix I: Transfer Pricing Documentation Template
• Appendix J: Compliance Calendar (detailed, with responsible parties)