Data Privacy Act (R.A 10173) Cutos, Trishia Mae C.

processing or use of personal information, including a

 The Right to Information and Communications person or organization who instructs another person or
Privacy is recognized under Article III, Sec. 3(1) organization to collect, hold, process, use, transfer or
of the Constitution, which states the privacy of disclose personal information on his or her behalf. The
communication and correspondence shall be term excludes:
inviolable except upon lawful order of the court, or
when public safety or order requires otherwise, as 1) ) A person or organization who performs
prescribed by law. such functions as instructed by another
person or organization; and
According to Section 2 of Data Privacy Act, Declaration of 2) An individual who collects, holds,
Policy: processes or uses personal information in
connection with the individual’s personal,
It is the policy of the State to protect the fundamental family or household affairs.
human right of privacy, of communication while ensuring  Personal information processor refers to any
free flow of information to promote innovation and growth. natural or juridical person qualified to act as such
The State recognizes the vital role of information and under this Act to whom a personal information
communications technology in nation-building and its controller may outsource the processing of
inherent obligation to ensure that personal information in personal data pertaining to a data subject.
information and communications systems in the government  Processing refers to any operation or any set of
and in the private sector are secured and protected. operations performed upon personal information
including, but not limited to, the collection,
recording, organization, storage, updating or
Functions of the National Privacy Commission (NPC) modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of
To administer and implement the provisions of this Act, and data.
to monitor and ensure compliance of the country with  Privileged information refers to any and all forms
international standards set for data protection, there is of data which under the Rides of Court and other
hereby created an independent body to be known as the pertinent laws constitute privileged communication.
NPC. (Sec. 7)  Sensitive personal information refers to personal
information:
The Commission shall ensure at all times the confidentiality 1) About an individual’s race, ethnic origin,
of any personal information that comes to its knowledge marital status, age, color, and religious,
and possession. (Sec. 8) philosophical or political affiliations;
2) About an individual’s health, education,
genetic or sexual life of a person, or to
any proceeding for any offense committed
Terminologies to take notice under R.A. 10173
or alleged to have been committed by such
person, the disposal of such proceedings,
 Consent of the data subject refers to any freely
or the sentence of any court in such
given, specific, informed indication of will, whereby
proceedings;
the data subject agrees to the collection and
3) ) Issued by government agencies peculiar
processing of personal information about and/or
to an individual which includes, but not
relating to him or her. Consent shall be evidenced
limited to, social security numbers,
by written, electronic or recorded means. It may
previous or cm-rent health records,
also be given on behalf of the data subject by an
licenses or its denials, suspension or
agent specifically authorized by the data subject
revocation, and tax returns; and
to do so.
4) Specifically established by an executive
 Data subject refers to an individual whose
order or an act of Congress to be kept
personal information is processed.
classified.
 Information and Communications System refers
to a system for generating, sending, receiving,
Scope of Application (Sec. 4)
storing or otherwise processing electronic data
messages or electronic documents and includes the
computer system or other similar device by or This Act applies to the processing of all types of personal
which data is recorded, transmitted or stored and information and to any natural and juridical person involved
any procedure related to the recording, in personal information processing including those personal
transmission or storage of electronic data, information controllers and processors who, although not
electronic message, or electronic document. found or established in the Philippines, use equipment that
 Personal information refers to any information are located in the Philippines, or those who maintain an
whether recorded in a material form or not, from office, branch or agency in the Philippines subject to the
which the identity of an individual is apparent or immediately succeeding paragraph.
can be reasonably and directly ascertained by the
entity holding the information, or when put This Act does not apply to the following:
together with other information would directly and
certainly identify an individual. a) Information about any individual who is or was an
 Personal information controller refers to a person officer or employee of a government institution
or organization who controls the collection, holding,
 that relates to the position or functions of the processed in a way compatible with such declared,
individual, including: specified and legitimate purposes only;
1) The fact that the individual is or was an b) Processed fairly and lawfully;
officer or employee of the government c) Accurate, relevant and, where necessary for
institution; purposes for which it is to be used the processing
2) The title, business address and office of personal information, kept up to date;
telephone number of the individual; inaccurate or incomplete data must be rectified,
3) The classification, salary range and supplemented, destroyed or their further
responsibilities of the position held by the processing restricted;
individual; and d) Adequate and not excessive in relation to the
4) The name of the individual on a document purposes for which they are collected and
prepared by the individual in the course of processed;
employment with the government; e) Retained only for as long as necessary for the
fulfillment of the purposes for which the data was
b) Information about an individual who is or was obtained or for the establishment, exercise or
performing service under contract for a defense of legal claims, or for legitimate business
government institution that relates to the services purposes, or as provided by law; and
performed, including the terms of the contract, f) Kept in a form which permits identification of data
and the name of the individual given in the course subjects for no longer than is necessary for the
of the performance of those services; purposes for which the data were collected and
c) Information relating to any discretionary benefit processed: Provided, That personal information
of a financial nature such as the granting of a collected for other purposes may lie processed for
license or permit given by the government to an historical, statistical or scientific purposes, and in
individual, including the name of the individual and cases laid down in law may be stored for longer
the exact nature of the benefit; periods: Provided, further, that adequate
d) Personal information processed for journalistic, safeguards are guaranteed by said laws authorizing
artistic, literary or research purposes; their processing.
e) Information necessary in order to carry out the
functions of public authority which includes the
processing of personal data for the performance The personal information controller must ensure
by the independent, central monetary authority implementation of personal information
and law enforcement and regulatory agencies of processing principles set out herein.
their constitutionally and statutorily mandated
functions. Nothing in this Act shall be construed as Lawful Processing of Personal Information. – The
to have amended or repealed Republic Act No. processing of personal information shall be permitted only
1405, otherwise known as the Secrecy of Bank if not otherwise prohibited by law, and when at least one of
Deposits Act; Republic Act No. 6426, otherwise the following conditions exists:
known as the Foreign Currency Deposit Act; and
Republic Act No. 9510, otherwise known as the a) The data subject has given his or her consent;
Credit Information System Act (CISA); b) The processing of personal information is
f) Information necessary for banks and other necessary and is related to the fulfillment of a
financial institutions under the jurisdiction of the contract with the data subject or in order to take
independent, central monetary authority or Bangko steps at the request of the data subject prior to
Sentral ng Pilipinas to comply with Republic Act No. entering into a contract;
9510, and Republic Act No. 9160, as amended, c) The processing is necessary for compliance with a
otherwise known as the Anti-Money Laundering Act legal obligation to which the personal information
and other applicable laws; and controller is subject;
g) Personal information originally collected from d) The processing is necessary to protect vitally
residents of foreign jurisdictions in accordance important interests of the data subject, including
with the laws of those foreign jurisdictions, life and health;
including any applicable data privacy laws, which is e) The processing is necessary in order to respond to
being processed in the Philippines. national emergency, to comply with the
requirements of public order and safety, or to
Data Privacy Principle (Sec. 11) fulfill functions of public authority which
necessarily includes the processing of personal
The processing of personal information shall be allowed, data for the fulfillment of its mandate; or
subject to compliance with the requirements of this Act f) The processing is necessary for the purposes of
and other laws allowing disclosure of information to the the legitimate interests pursued by the personal
public and adherence to the principles of transparency, information controller or by a third party or
legitimate purpose and proportionality. parties to whom the data is disclosed, except
where such interests are overridden by
fundamental rights and freedoms of the data
Personal information must be: subject which require protection under the
Philippine Constitution.
a) Collected for specified and legitimate purposes
determined and declared before, or as soon as Sensitive Personal Information and Privileged
reasonably practicable after collection, and later Information. – The processing of sensitive personal
information and privileged information shall be prohibited, the data subject, and the extent
except in the following cases: to which such access is
authorized;
a) The data subject has given his or her consent, 6. The identity and contact details
specific to the purpose prior to the processing, or of the personal information
in the case of privileged information, all parties to controller or its representative;
the exchange have given their consent prior to 7. The period for which the
processing; information will be stored; and
b) The processing of the same is provided for by 8. The existence of their rights, i.e.,
existing laws and regulations: Provided, That such to access, correction, as well as
regulatory enactments guarantee the protection of the right to lodge a complaint
the sensitive personal information and the before the Commission.
privileged information: Provided, further, That the
consent of the data subjects are not required by Any information supplied or declaration made to the data
law or regulation permitting the processing of the subject on these matters shall not be amended without
sensitive personal information or the privileged prior notification of data subject: Provided, That the
information; notification under subsection (b) shall not apply should the
c) The processing is necessary to protect the life and personal information be needed pursuant to a subpoena or
health of the data subject or another person, and when the collection and processing are for obvious
the data subject is not legally or physically able to purposes, including when it is necessary for the
express his or her consent prior to the processing; performance of or in relation to a contract or service or
d) The processing is necessary to achieve the lawful when necessary or desirable in the context of an employer-
and noncommercial objectives of public employee relationship, between the collector and the data
organizations and their associations: Provided, subject, or when the information is being collected and
That such processing is only confined and related processed as a result of legal obligation;
to the bona fide members of these organizations
or their associations: Provided, further, That the c) Reasonable access to, upon demand, the following:
sensitive personal information are not transferred 1. Contents of his or her personal
to third parties: Provided, finally, That consent of information that were processed;
the data subject was obtained prior to processing; 2. Sources from which personal information
e) The processing is necessary for purposes of were obtained;
medical treatment, is carried out by a medical 3. Names and addresses of recipients of the
practitioner or a medical treatment institution, and personal information;
an adequate level of protection of personal 4. Manner by which such data were
information is ensured; or processed;
f) The processing concerns such personal information 5. Reasons for the disclosure of the personal
as is necessary for the protection of lawful rights information to recipients;
and interests of natural or legal persons in court 6. Information on automated processes
proceedings, or the establishment, exercise or where the data will or likely to be made as
defense of legal claims, or when provided to the sole basis for any decision
government or public authority. significantly affecting or will affect the
data subject;
RIGHTS OF THE DATA SUBJECT 7. Date when his or her personal information
concerning the data subject were last
Rights of the Data Subject. – The data subject is accessed and modified; and
entitled to: 8. The designation, or name or identity and
address of the personal information
a) Be informed whether personal information controller;
pertaining to him or her shall be, are being or have d) Dispute the inaccuracy or error in the personal
been processed; information and have the personal information
b) Be furnished the information indicated hereunder controller correct it immediately and accordingly,
before the entry of his or her personal unless the request is vexatious or otherwise
information into the processing system of the unreasonable. If the personal information have
personal information controller, or at the next been corrected, the personal information
practical opportunity: controller shall ensure the accessibility of both
1. Description of the personal the new and the retracted information and the
information to be entered into simultaneous receipt of the new and the retracted
the system; information by recipients thereof: Provided, That
2. Description of the personal the third parties who have previously received
information to be entered into such processed personal information shall he
the system; informed of its inaccuracy and its rectification
3. Scope and method of the personal upon reasonable request of the data subject;
information processing; e) Suspend, withdraw or order the blocking, removal
4. The recipients or classes of or destruction of his or her personal information
recipients to whom they are or from the personal information controller’s filing
may be disclosed; system upon discovery and substantial proof that
5. Methods utilized for automated the personal information are incomplete, outdated,
access, if the same is allowed by false, unlawfully obtained, used for unauthorized
 purposes or are no longer necessary for the
purposes for which they were collected. In this
case, the personal information controller may  Processing refers to any operation or any set of
notify third parties who have previously received operations performed upon personal information
such processed personal information; and including, but not limited to, the collection,
f) Be indemnified for any damages sustained due to recording, organization, storage, updating or
such inaccurate, incomplete, outdated, false, modification, retrieval, consultation, use,
unlawfully obtained or unauthorized use of consolidation, blocking, erasure or destruction of
personal information. data.

FAQs PERSONAL DATA BREACH

1. Is the mantle of protection afforded by this law The notification shall include, but not be limited to:
can go beyond territorial jurisdiction?
1. Nature of the breach
Section 6. Extraterritorial Application. – This 2. Personal data possibly involved
Act applies to an act done or practice engaged in and 3. Measures taken to address the breach
outside of the Philippines by an entity if:

The Commission reserves right to require additional

(a) The act, practice or processing relates to personal information, if necessary.
information about a Philippine citizen or a resident;

Data Breach Notification:

(b) The entity has a link with the Philippines, and the entity
is processing personal information in the Philippines or even
a) The Commission and affected data subjects shall
if the processing is outside the Philippines as long as it is
be notified by the personal information controller
about Philippine citizens or residents such as, but not
within seventy-two (72) hours upon knowledge of,
limited to, the following:
or when there is reasonable belief by the personal
information controller or personal information
i. A contract is entered in the Philippines; processor that, a personal data breach requiring
ii. A juridical entity unincorporated in the notification has occurred.
Philippines but has central management b) Notification of personal data breach shall be
and control in the country; and required when sensitive personal information or
iii. An entity that has a branch, agency, any other information that may, under the
office or subsidiary in the Philippines and circumstances, be used to enable identity fraud
the parent or affiliate of the Philippine are reasonably believed to have been acquired by
entity has access to personal information; an unauthorized person, and the personal
and information controller or the Commission believes
that such unauthorized acquisition is likely to give
(c) The entity has other links in the Philippines such as, rise to a real risk of serious harm to any affected
but not limited to: data subject.
c) Depending on the nature of the incident, or if
i. The entity carries on business in the Philippines; there is delay or failure to notify, the Commission
and may investigate the circumstances surrounding the
ii. The personal information was collected or held by personal data breach. Investigations may include
an entity in the Philippines. on-site examination of systems and procedures.

2. What is the commission created by virtue of this Delay of Notification. Notification may be delayed only
Data Privacy Act? to the extent necessary to determine the scope of the
breach, to prevent further disclosures, or to restore
The National Privacy Commission reasonable integrity to the information and
communications system.
Exercise:
a. In evaluating if notification is unwarranted,
the Commission may take into account
compliance by the personal information
controller with this section and existence of
good faith in the acquisition of personal data
b. The Commission may exempt a personal
information controller from notification
where, in its reasonable judgment, such
notification would not be in the public interest,
or in the interest of the affected data
subjects.
c. The Commission may authorize postponement
of notification where it may hinder the
progress of a criminal investigation related to
a serious breach.
 personal information processor that employs fewer
Breach Report than two hundred fifty (250) persons shall not be
required to register unless the processing it
a. The personal information controller shall carries out is likely to pose a risk to the rights and
notify the Commission by submitting a report, freedoms of data subjects, the processing is not
whether written or electronic, containing the occasional, or the processing includes sensitive
required contents of notification. The report personal information of at least one thousand
shall also include the name of a designated (1,000) individuals.
representative of the personal information
controller, and his or her contact details. a. The contents of registration shall include:
b. All security incidents and personal data
breaches shall be documented through written 1. The name and address of the personal
reports, including those not covered by the information controller or personal information
notification requirements. In the case of processor, and of its representative, if any,
personal data breaches, a report shall include including their contact details;
the facts surrounding an incident, the effects 2. The purpose or purposes of the processing,
of such incident, and the remedial actions and whether processing is being done under
taken by the personal information controller. an outsourcing or subcontracting agreement;
In other security incidents not involving 3. A description of the category or categories of
personal data, a report containing aggregated data subjects, and of the data or categories
data shall constitute sufficient documentation. of data relating to them;
These reports shall be made available when 4. The recipients or categories of recipients to
requested by the Commission. A general whom the data might be disclosed;
summary of the reports shall be submitted to 5. Proposed transfers of personal data outside
the Commission annually. the Philippines;
6. A general description of privacy and security
measures for data protection;
Subcontract of Personal Information 7. Brief description of the data processing
system;
A personal information controller may subcontract the 8. Copy of all policies relating to data governance,
processing of personal information: Provided, That the data privacy, and information security;
personal information controller shall be responsible for 9. Attestation to all certifications attained that
ensuring that proper safeguards are in place to ensure the are related to information and communications
confidentiality of the personal information processed, processing; and
prevent its use for unauthorized purposes, and generally, 10. Name and contact details of the compliance or
comply with the requirements of this Act and other laws data protection officer, which shall
for processing of personal information. The personal immediately be updated in case of changes.
information processor shall comply with all the
requirements of this Act and other applicable laws. (SEC. b. The procedure for registration shall be in
14) accordance with these Rules and other
issuances of the Commission.

ACCOUNTABILITY FOR TRANSFER OF PERSONAL

 Notification of Automated Processing
INFORMATION
Operations. The personal information controller
carrying out any wholly or partly automated
processing operations or set of such operations
 Principle of Accountability. Each personal
intended to serve a single purpose or several
information controller is responsible for personal
related purposes shall notify the Commission when
information under its control or custody, including
the automated processing becomes the sole basis
information that have been transferred to a third
for making decisions about a data subject, and
party for processing, whether domestically or
when the decision would significantly affect the
internationally, subject to cross-border
data subject.
arrangement and cooperation.
a. The personal information controller is
a. The notification shall include the following
accountable for complying with the
information:
requirements of this Act and shall use
1. Purpose of processing;
contractual or other reasonable means to
2. Categories of personal data to undergo
provide a comparable level of protection
processing;
while the information are being processed
3. Category or categories of data subject;
by a third party.
4. Consent forms or manner of obtaining
b. The personal information controller shall
consent;
designate an individual or individuals who are
5. The recipients or categories of recipient
accountable for the organization’s
to whom the data are to be disclosed;
compliance with this Act. The identity of
6. The length of time the data are to be
the individual(s) so designated shall be made
stored;
known to any data subject upon request.
7. Methods and logic utilized for automated
processing;
 Registration of Personal Data Processing
Systems. The personal information controller or
 8. Decisions relating to the data subject Exercise:
that would be made on the basis of
processed data or that would significantly Mark Zuckerberg was hired as a data controller by the
affect the rights and freedoms of data Government. Lucas Page, his information, has a lot of
subject; and inaccuracies that is why he cannot claim death benefits
9. Names and contact details of the from SSS. He filed a petition asking for the correction of
compliance or data protection officer. his personal information. Can his petition be
accommodated? Why and Why not?
b. No decision with legal effects concerning
a data subject shall be made solely on the  Breach notification report: must contain the
basis of automated processing without notification shall at least describe the nature of
the consent of the data subject. the breach, the personal data possibly involved,
and the measures taken by the entity to address
Review by the Commission the breach. The notification shall also include
measures taken to reduce the harm or negative
The following are subject to the review of the Commission, consequences of the breach, the representatives
upon its own initiative or upon the filing of a complaint by a of the personal information controller, including
data subject: their contact details, from whom the data subject
can obtain additional information about the breach,
a. Compliance by a personal information and any assistance to be provided to the affected
controller or personal information data subjects.
processor with the Act, these Rules,
and other issuances of the
Commission;
b. Compliance by a personal information
controller or personal information
processor with the requirement of
establishing adequate safeguards for
data privacy and security;
c. Any data sharing agreement,
outsourcing contract, and similar
contracts involving the processing of
personal data, and its implementation;
d. Any off-site or online access to
sensitive personal data in government
allowed by a head of agency;
e. Processing of personal data for
research purposes, public functions,
or commercial activities;
f. Any reported violation of the rights
and freedoms of data subjects;
g. Other matters necessary to ensure
the effective implementation and
administration of the Act, these
Rules, and other issuances of the
Commission.

FAQs

1. Can the rights of a data subject be transferred to

his or her heirs or assigns?

Yes. The lawful heirs and assigns of the data subject may
invoke the rights of the data subject which he or she is an
heir at any time after the death of the data subject or
when the data subject is incapacitated or incapable of
exercising the rights set forth by law.

2. Interrelate Data Privacy Act from other

commercial laws.

Information necessary for banks and other financial

institutions under the jurisdiction of the independent,
central monetary authority or Bangko Sentral ng Pilipinas to
comply with Republic Act No. 9510, and Republic Act No.
9160, as amended, otherwise known as the Anti-Money
Laundering Act and other applicable laws.