DATA PRIVACY ACT

R.A. 10173
 COVERAGE OF DATA PRIVACY ACT (RA 10173)
A. COVERED MATTERS
The Act protects personal data information and communication System (ICT)
In both the government and the private sectors. It covers the processing of all types
Of personal information belonging to any natural or juridical person “ Data Subject”.

B. COVERED PERSONS
All personal information controllers (PIC) and personal information processor
(PIP) who use equipment that are located in the Philippines or maintain a office ,
Branch, or agency in the Philippines. (ex. PSA as PIC and SM/LBC as the PIP)
HOWEVER : It shall not impair the protection afforded to journalists and their
sources, from being compelled to reveal the source of any news report
appearing in said publication which was related to them in confidence.

The PIC which subcontracts the processing of personal information shall be

responsible for ensuring that the proper safeguards are in place to ensure the
confidentiality of the personal information. (ex. PSA sub-con its processing to LBC)
1. REGISTRATION W/ NATL. PRIVACY COMM (NPC)
In essence, PIC’s and PIP’s are mandated to register their personal data
Systems with the NPC under the following conditions:
(a) If sensitive personal information of at least 1,000 individuals is processed;

(a) If the PIC or PIP employs at least 250 persons; and

(a) If less than 250 persons are employed, but processing (i) not occasional
(ii) might pose a risk to the rights and freedoms of Data Subject
2. SECURITY MEASURES FOR THE PROTECTION
OF PERSONAL DATA
(A) Assign a Data Protection Officer or Compliance Officer accountable for
ensuring compliance with the applicable laws and regulations on data privacy
and security;
(B) Implement appropriate data protection policies that provide for organizational,
physical, and technical security measures;
(C) Select, train, and supervise employees, agents, or representatives who will have
access to personal data;
(D) Develop, implement, and review policies and procedures for the collection and
processing of personal data, for data subjects to exercise their rights under the
Act, access management, system monitoring, protocols for security incidents
or technical problems, and data retention;
2. SECURITY MEASURES FOR THE PROTECTION
OF PERSONAL DATA
(E) Ensure through appropriate contractual agreements that their personal infor-
mation processors shall also implement the security measures required by the
Act;

(F) Comply, where appropriate, with physical security guidelines set forth by NPC;

(G) Adopt and establish technical security measures such as, but not limited to,
security policy for the processing of personal data; safe guards to protect their
computer network, periodic evaluation of security measures’ effectiveness;
and personal data encryption.
C. EXTRATERRITORIAL APPLICATION
The Act has extraterritorial application such that it is applicable to an act done
or practice engaged in and outside the Philippines, If:

(1) Natural or juridical person involved in the processing of personal data is found
or established in the Philippines;

(2) Act, practice, or processing relates to personal data about a Philippine citizen
or resident;

(3) Processing of personal data is being done in the Philippines; or

C. EXTRATERRITORIAL APPLICATION
(4) Act, practice, or processing of personal data is done or engaged in by an entity
with links to the Philippines, with due consideration to international law &
comity, such as the following:
(i) Use of equipment located, or maintains an office, branch or agency, in the
Philippines for processing of personal data;
(ii) A contract is entered into the Philippines;
(iii) A juridical entity unincorporated in the Philippines but has central mgmnt
and control in the country; or
(iv) An entity that has branch, agency, office, or subsidiary in the Philippines and
the parent or affiliate of the Philippine entity has access to personal data.
 D. DPA DOES NOT APPLY;
(i) Related to Public service: Current or former government officers or relating
to their positions or functions;
(ii) Related to Government Service Providers: Individuals who was, or is, working
under service contracts for a government institution in so far as it relates to
service, name, or terms of his contract;
(iii) Related to Financial Discretionary Benefit by the Government: Any discretion-
ary benefit of a financial nature such as the granting of a license or permit given
by government to an individual;
(iv) Information necessary in order to carry out the functions of public authority
relating to the Secrecy Bank Deposit Act, Foreign Currency Act and Credit
Information system act;
D. DPA DOES NOT APPLY;
(v) Information necessary for banks and other financial institutions under the
BSP’s jurisdiction to comply with AMLA.
(vi) Personal information processed for journalistic, artistic, literary, or research
purposes;
(vii) Personal information originally collected from foreign citizens in accordance
with the laws of the foreign jurisdictions which is being processed in the
Philippines.
2. WHEN PROCESSING OF PERSONAL
INFORMATION ALLOWED
The processing of personal property shall be permitted only if:
(A) Not otherwise prohibited by law; and
(B) When at least one (1) of the following conditions exists:
(i) Data Subject has given its consent;
(ii) The processing of personal information is necessary:
➢ and is related to the fulfillment of a contract with Data Subject;
➢ For compliance with PIC’s legal obligation;
➢ To protect vitally important interests of DS including life & health;
➢ In order to respond to national emergency; and
➢ For legitimate interest pursued by PIC or by 3rd person/s to whom
data is disclosed, except when such interests are overridden by the
Fundamental rights under the Constitution.
A. EFFECTS & PARAMETERS OF DATA SUBJECT’S
SUBMISSION OF CONSENT
(1) DS’s consent gives the Data processor permission to collect and process his
personal information in accordance with a specified and legitimate purpose.
(2) Specified and legitimate purpose should be determined and declared before,
or as soon as reasonably practicable after, collection but before processing.
(3) Personal Information shall be retained only for as long as necessary for the
establishment, exercise or defense of legal claims, or for legitimate business
purposes, or as provided by law.
(4) Personal information must also be kept in a form which permits identification
of DS for no longer that is necessary for the purposes for which the data
were collected and processed
A. EFFECTS & PARAMETERS OF DATA SUBJECT’S
SUBMISSION OF CONSENT
(5) Processing of sensitive and privileged personal information and privileged
information shall be prohibited:

EXCEPT IF:
(a) DS has given his consent;
(b) Processing is provided for by existing laws & regulations;
(c) Processing is necessary to protect the life & health of DS or other person;
(d) Processing is necessary to achieve the lawful and non-commercial objectives
of public organization provided that:
A. EFFECTS & PARAMETERS OF DATA SUBJECT’S
SUBMISSION OF CONSENT
➢ Processing is confined & related to the bona fide members of these organiza-
tions or their associations;
➢ Sensitive personal information are not transferred to 3rd parties;
➢ DS’s consent was obtained prior to processing.

(e) Processing is necessary for the purpose of medical treatment provided that
it is carried out by a medical practitioner; and
(f) Processing concerns such personal information as is necessary to protect
lawful rights and interest of natural or legal persons.
B. PERMISSIBLE PROCESSING OF PERSONAL
INFORMATION:
(1) Collected for specified & legitimate purposes determined before, or as soon
as reasonably practicable after collection, and later processed in line with
the purpose;
(2) Processed fairly & lawfully;
(3) Accurate & kept up to date; in accurate data must be immediately rectified;
(4) Adequate & not excessive for the purpose for which they are collected;
(5) Retained only for as long as necessary for the fulfillment of the purpose
for which it was collected;
(6) Kept in a form which permits identification of DS for no longer than is
necessary for the purpose for which collected.
 3. RIGHTS OF DATA SUBJECT
EXCEPT:

(a) When personal information is used only for scientific & statistical research,
and held to be strictly confidential and used only for the declared purpose;
or

(b) In investigation to criminal, administrative or tax liabilities.

 DATA SUBJECT ENTITLED TO THE FOLLOWING
RIGHTS:
A. RIGHT TO BE INFROMED & BE FURNISHED THE FOLLOWING
INFORMATION – Before the entry of his personal information, DS has
the right to be informed & furnished information of:
(i) Description of the personal information to be entered into the system;
(ii) Purpose for which they are to be processed, the scope & method of the
Personal information processing;
(iii) Recipients to whom they may be disclosed;
(iv) Identity & contact details of the information controller;
(v) Period for which the information will be stored;
(vi) Existence of his rights as the DS.
 DATA SUBJECT ENTITLED TO THE FOLLOWING
RIGHTS:
B. RIGHT TO REASONABLLE ACCESS – The DS will always have
reasonable access to:
(i) Contents of his personal information;
(ii) Sources from which they were obtained;
(iii) Names & addresses of recipients of the personal information;
(iv) Manner by which the data is processed;
(v) Reason for the disclosure of the personal information to recipients;
(vi) Information where data will likely be the sole basis for any decision
Significantly;
(vii) Date when information was last accessed & modified; and
(viii)Designation, name or identity & address of PIC.
 DATA SUBJECT ENTITLED TO THE FOLLOWING
RIGHTS:
C. RIGHTS TO DISPUTE ERRORS
The DS shall have the right to dispute the inaccuracy in the personal informa-
tion & to have it corrected immediately & accordingly unless the request is
vexatious or unreasonable.

D. RIGHT TO WITHDRAW FROM FILING SYSTEM

DS has the right to have his personal information withdrawn or destroyed
From the controller’s filing system for personal information found to be
Incomplete, outdated, false, unlawfully obtained, or used for unauthorized
Purposes.
 DATA SUBJECT ENTITLED TO THE FOLLOWING
RIGHTS:
E. RIGHT TO BE INDEMNIFIED FOR ANY DAMAGES SUSTAINED
This sustained due to inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal information.

F. RIGHT TO DATA PORTABILITY

DS has the rights, where personal information is processed by electronic
means and in a structured & common used format, to obtain from the PIC
a copy of such data.
SUMMARY
DATA - ANY INFORMATION PERTAINING TO PERSON.
SUBJECT DATA – REFERS TO PERSON OR INDIVIDUAL WHOSE
INFORMATION IS PROCESSED
PERSONAL INFORMATION (PI) – PROCESSED DATA OF PERSON
OR INDIVIDUAL.
PERSONAL INFORMATION CONTROLLER (PIC) – PERSON
(NATURAL OF JURIDICAL) WHO COLLECTS, HOLD, USE,
PROCESS PERSONAL INFORMATION.
PERSONAL INFORMATION PROCESSOR (PIP) – ANYONE WHO
PROCESS THE INFORMATION OR DATA.
SENSITIVE PERSONAL INFORMATION
➢ INDIVIDUAL RELIGION
➢ ETHNIC
➢ MARITAL
➢ AGE
➢ HEALTH
➢ EDUCATION
SENSITIVE PERSONAL INFORMATION
FIRST GROUP
R - ACE
E - THNICITY
M - ARITAL STATUS
A - GE
R - RELIGIOUS/POLITICAL
C - OLOR
SENSITIVE PERSONAL INFORMATION
SECOND GROUP
S - EXUAL LIFE
H - EALTH
O - OFFENSES/ALLEGED OFFENSES
E - EDUCATION
SENSITIVE PERSONAL INFORMATION
THIRD GROUP
TIN #, SSS#, LICENSE # GOVT ISSUED INFO.

FOURTH GROUP
BANK ACCOUNT
 DATA PROCESSING SYSTEM – Generally covers
everything.

Personal data Includes non-traditional Processing/delivery

Collection Mechanical Collection of data By any mode or medium
Ex. Texting, delivery via
phone
PRINCIPLE OF PROCESSING:
T - RANSPARENCY

L - EGITIMATE PURPOSE

P - ROPORTIONALITY (FOR HOW LONG)

DATA PROCESSING :
INVOLVES PERSONAL INFORMATION ONLY. (GENERAL RULE)

HOWEVER: IF SENSITIVE PERSONAL INFORMATION (SPI) AND

PRIVILEGE PERSONAL INFORMATION (PPI)
Cannot be the subject of Processing, it is PROHIBITED

EXCEPT:
1. Consent of the DS
2. Pursuant to Law that does not require consent
3. Necessity to protect LIFE, HEALTH or the PERSON
4. For medical treatment
5. To protect lawful right.
 Cadajas y Cabias vs. People
G.R. No. 247348, Nov 16, 2021

A 24-year-old man was convicted for inducing a

14-year-old girl to send explicit photos via
Facebook Messenger, violating anti-child
pornography laws, despite claims of a
consensual relationship.
Facts:
Background and Relationship
•Petitioner Christian Cadajas y Cabias, then 24 years old,
met the victim, AAA, who was 14 years old, at a canteen
where he worked. Their relationship began when AAA’s
sibling informed petitioner that AAA had a crush on him.
Despite initially avoiding her, AAA began stalking him, and
they eventually communicated via Facebook Messenger.
After two weeks of courtship, they became sweethearts on
April 2, 2016.
Discovery of the Relationship
•In June 2016, BBB, AAA’s mother, discovered their
relationship after accessing AAA’s Facebook account
on her phone. BBB disapproved of the relationship
due to AAA’s age, but the couple ignored her
warnings.
Incident of Sexual Solicitation
•In October 2016, BBB read messages where petitioner was
luring AAA to meet him in a motel. She confronted petitioner
and told him to stay away from AAA.
•On November 18, 2016, BBB found explicit messages
between petitioner and AAA, where petitioner coaxed AAA to
send photos of her breasts and vagina. AAA complied but
later tried to delete the messages. BBB forced AAA to open
petitioner’s Facebook Messenger account to retrieve the
conversation.
Petitioner’s Admission and Defense
•Petitioner admitted to sending messages like “oo
ready ako sa ganyan” and “sige hubad” but denied
sending explicit photos of himself. He claimed that
AAA asked him to delete their messages and that he
broke up with her because her mother disapproved
of their relationship.
Criminal Charges
•Petitioner was charged with two offenses:
• Criminal Case No. 215-V-17: Violation of Section 10(a) of R.A.
No. 7610 (Special Protection of Children Against Abuse,
Exploitation, and Discrimination Act) for coercing AAA to send
explicit photos.
• Criminal Case No. 216-V-17: Violation of Section 4(c)(2) of R.A.
No. 10175 (Cybercrime Prevention Act) in relation to Sections
4(a), 3(b), and (c)(5) of R.A. No. 9775 (Anti-Child Pornography
Act) for inducing AAA to send explicit photos via Facebook
Messenger.
Trial Court Decision
•The Regional Trial Court (RTC) acquitted petitioner
of the charge under R.A. No. 7610 but found him
guilty of child pornography under R.A. No. 10175 in
relation to R.A. No. 9775. He was sentenced to
reclusion temporal and fined P1,000,000.00.
Court of Appeals Decision
•The Court of Appeals (CA) affirmed the RTC’s
decision but modified the penalty to an
indeterminate sentence of 14 years, 8 months,
and 1 day to 18 years and 3 months, while
retaining the fine.
Issue:

Whether the CA gravely erred in not finding

that the evidence presented by the prosecution
are inadmissible for violating petitioner's right
to privacy.
RULING:
Upon a careful review of the records of this case, the Court finds the petition to be
without merit.

On petitioner's right to privacy

One of the arguments raised by petitioner before this Court concerns the
admissibility of the evidence presented by the prosecution, which was taken from
his Facebook messenger account. He claims that the photos presented in evidence
during the trial of the case were taken from his Facebook messenger account.
According to him, this amounted to a violation of his right to privacy, and therefore,
any evidence obtained in violation thereof amounts to a fruit of the poisonous tree.

We disagree.
The right to privacy is defined as "the right to be free from
unwarranted exploitation of one's person or from
intrusion into one's private activities in such a way as to
cause humiliation to a person's ordinary sensibilities." It is
the right of an individual "to be free from unwarranted
publicity, or to live without unwarranted interference by
the public in matters in which the public is not necessarily
concerned." Simply put, the right to privacy is "the right to
be let alone."
It capped things off by bringing up the
reasonable expectation of privacy test
and showed why, when used in the case, it
proved that there was indeed no privacy
violation to speak of.