Privacy Violation Breach Incident Penalty Complaint Example

R ULE XIII – S EC 52 A person in the organization processes personal information without the consent of the Personal Information Visitor’s log book that collects personal
data subject, or without being authorized under the privacy act or any existing law. 1-3 years imprisonment information without privacy notification
Unauthorized Processing of Personal Php500,000.00 to Php2,000,000.00 and consent
Information and Sensiti ve Personal
Information. Sensitive Personal Information CCTV collecting sensitive personal
3-6 years imprisonment information without privacy notification
Php500,000.00) but not more than Four
million pesos (Php4,000,000.00

R ULE XIII – S EC 53 A person in the organization who, due to negligence, provided access to personal Personal Information Storage location of personal data are not
information without being authorized under the privacy act or any existing law. 1-3 years imprisonment controlled for unauthorized access
Accessing Personal Informati on and Php500,000.00-Php2,000,000.00
Sensiti ve Personal Informati on Due File or storage of personal data stolen
to Negligence Sensitive Personal Information due to lack of physical and technical
3-6 years imprisonment security control

R ULE XIII – S EC 54 A person in the organization who knowingly or negligently disposes, discards, or Personal Information Paper form and data storage are not
abandons the personal information of an individual in an area accessible to the public 6 months to2 years imprisonment disposed properly that make
Improper Disposal of Personal or has otherwise placed the personal information of an individual in its container for Php100,000.00-Php500,000.00 unauthorized person to retrieve personal
Information and Sensitive Personal trash collection. information.
Information. Sensitive Personal Information
1-3 years imprisonment
Php100,000.00-Php1,000,000.00

R ULE XIII – S EC 55 A person in the organization processes personal information for purposes not Personal Information Unauthorized use of collected personal
authorized by the data subject, or otherwise authorized under the privacy act or under 6 months to 5 years imprisonment data for marketing, profiling, and sharing
Processing of Personal Information and existing laws. Php500,000.00-Php1,000,000.00
Sensitive Personal Information for
Unauthorized Purposes. Sensitive Personal Information
2-7 years
Php500,000.00-Php2,000,000.00

R ULE XIII – S EC 56 A person in the organization who knowingly and unlawfully, or violating data 1-3 years imprisonment Theft, hack
confidentiality and security data systems, breaks in any way into any system where Php500,000.00-Php2,000,000.00
Unauthorized Access or Intentional personal and sensitive personal information are stored
Breach. 

R ULE XIII – S EC 57 A person in the organization who, after having knowledge of a security breach and of 1 year and 6 months to 5 years Non-notification or reporting to NPC the
the obligation to notify the Commission pursuant to Section 20(f) of the privacy act, Php500,000.00-Php1,000,000.00 security incidents in the system that
Concealment of Security Breaches intentionally or by omission conceals the fact of such security breach processes personal information.
Involving Sensitive Personal Information

R ULE XIII – S EC 58  A personal information controller or personal information processor, or any of its 1 year and 6 months to 5 years Patient record disclosed with malicious
officials, employees or agents, who, with malice or in bad faith, discloses unwarranted Php500,000.00-Php1,000,000.00 intention
Malicious Disclosure. or false information relative to any personal information or sensitive personal
information obtained by him or her.

  R ULE XIII – S EC 59 A personal information controller or personal information processor, or any of its Personal Information Acted on the request for information by
officials, employees, or agents, who discloses to a third party personal information not 1 year to 3 years a third party without the authorization of
Unauthorized Disclosure. covered by the immediately preceding section without the consent of the data subject 500,000.00-Php1,000,000.00 a data subject who owns the personal
information.
Sensitive Personal Information
1 year to 5 years
500,000.00-Php2,000,000.00