Study Guide: Implementing Rules and Regulations Personal Information: Processing is allowed if the
(IRR) of the Data Privacy Act of 2012 (RA 10173) data subject gave consent, if it is necessary for a
-------------------------------------------------------------------------------- contract, to comply with a legal obligation, to
I. General Provisions and Scope protect vitally important interests (life/health), or
for the legitimate interests of the PIC (unless
overridden by the subject's fundamental rights).
State Policy: The Rules enforce the Data Privacy
Act to safeguard the fundamental human right to Sensitive Personal Information (SPI): Processing
privacy while ensuring the free flow of information is generally prohibited unless:
for innovation and national development. o Consent is given specifically for the SPI.
Scope of Application: Applies to the processing of o Provided for by existing laws that guarantee
all types of personal data by any natural or juridical protection.
person in the government or private sector. It has o Necessary to protect life/health when the
extraterritorial application if the person involved subject is legally/physically unable to
is established in the Philippines, the processing consent.
relates to a Philippine citizen/resident, or the entity o Necessary for medical treatment by a
has links to the Philippines (e.g., uses equipment in practitioner or institution.
the country or maintains a branch).
o Necessary for the protection of lawful rights
Non-Applicability (Special Cases): The Act does
in court proceedings or legal claims.
not apply to specific information to the minimum
extent necessary for its purpose, such as:
o Information about government employees --------------------------------------------------------------------------------
relating to their position/functions. V. Rights of the Data Subject
o Information necessary for journalistic, Data subjects possess the following statutory rights:
artistic, or literary purposes to uphold
freedom of speech. 1. Right to be Informed: Whether their data is being
o Information for research intended for public processed, including profiling and automated
benefit. decision-making.
o Information necessary for law enforcement 2. Right to Object: The right to refuse processing,
or regulatory functions of public authorities. especially for direct marketing.
3. Right to Access: Reasonable access to the contents
of their data, sources, recipients, and the manner of
-------------------------------------------------------------------------------- processing.
II. Key Definitions for Legal Analysis 4. Right to Rectification: The right to dispute
inaccuracies and have them corrected immediately.
5. Right to Erasure or Blocking: The right to suspend
Data Subject: An individual whose personal,
or order the removal of data upon proof it is
sensitive personal, or privileged information is
incomplete, false, or unlawfully obtained.
processed.
6. Right to Data Portability: The right to obtain a
Personal Information (PI): Information from which copy of data in a structured, commonly used
the identity of an individual is apparent or can be electronic format.
reasonably and directly ascertained. 7. Right to Damages: Indemnification for sustained
Sensitive Personal Information (SPI): Includes damages due to inaccurate or unauthorized use of
info about race, ethnic origin, marital status, age, data.
color, religious/political affiliations, health, education,
genetic/sexual life, and government-issued IDs
peculiar to an individual (e.g., SSS, tax returns). --------------------------------------------------------------------------------
VI. Security Measures and Accountability
Privileged Information: Data which, under the
Rules of Court and other laws, constitute privileged
communication. General Obligation: PICs and PIPs must implement
Personal Information Controller (PIC): A person reasonable and appropriate organizational,
or body who controls the processing of personal physical, and technical measures to ensure the
data or instructs another to process on its behalf. availability, integrity, and confidentiality of data.
Personal Information Processor (PIP): Any Accountability for Transfer: The PIC is responsible
person or body to whom a PIC out-sources the for data under its control, including that which is
processing of data. transferred to a PIP (third-party processor). They
must use contractual means to ensure a
comparable level of protection.
--------------------------------------------------------------------------------
III. General Data Privacy Principles Data Breach Notification: The National Privacy
Processing must adhere to three core principles: Commission (NPC) and affected subjects must be
notified within 72 hours of knowledge of a breach
involving SPI or info that enables identity fraud.
1. Transparency: The data subject must be aware of
the nature, purpose, and extent of processing.
2. Legitimate Purpose: Processing must be --------------------------------------------------------------------------------
compatible with a declared purpose that is not VII. Penalties and Liabilities
contrary to law or public policy. The Act imposes severe criminal penalties for violations:
3. Proportionality: Processing must be adequate,
relevant, and not excessive in relation to the Unauthorized Processing: Imprisonment of up to 3
purpose. years and fines up to PHP 2M for PI; up to 6 years
and PHP 4M for SPI.
-------------------------------------------------------------------------------- Access due to Negligence: Imprisonment of up to
IV. Lawful Processing of Personal Data 3 years and fines up to PHP 2M for PI; up to 6 years
and PHP 4M for SPI.
Malicious Disclosure: Imprisonment of 1.5 to 5
years and fines up to PHP 1M.
� Large-Scale Violation: The maximum penalty is For Personal Information (PI): Processing is
imposed if the data of at least 100 persons is allowed if the subject gave consent, or if it is
involved. necessary for a contract, a legal obligation, to
Public Officers: If the offender is a public officer, protect vitally important interests (life/health), or
they suffer an additional accessory penalty of for the legitimate interests of the PIC (unless
disqualification from public office. overridden by the subject's fundamental rights).
For Sensitive Personal Information (SPI):
Processing is generally prohibited unless:
…
I. Jurisdictional Scope and Extraterritorial Application o Specific consent is given for the SPI.
The DPA has a broad jurisdictional reach. It applies to the o Provided for by existing laws that do not
processing of personal data by any natural or juridical person require consent but guarantee protection.
in the government or private sector. o Necessary to protect the life/health of a
subject who is legally or physically
unable to consent.
Extraterritorial Application: The Rules apply even
to acts done outside the Philippines if: o Necessary for medical treatment by a
o The person involved is found or established practitioner/institution.
in the Philippines. o Necessary for the protection of lawful rights
o The processing relates to data about a in court proceedings.
Philippine citizen or resident.
o The entity has links to the Philippines, --------------------------------------------------------------------------------
such as maintaining an office/branch, V. The "Bill of Rights" of the Data Subject
entering a contract in the country, or using Data subjects are granted specific statutory rights under Rule
equipment located in the Philippines. VIII:
Special Cases (Exemptions): The Rules generally
do not apply to information for journalistic, artistic, or 1. Right to be Informed: To know if their data is
literary purposes (to uphold freedom of speech), being processed, including automated decision-
research for public benefit, or information necessary making and profiling.
for public authorities to carry out law enforcement or 2. Right to Object: To refuse processing, particularly
regulatory functions. However, these exemptions are for direct marketing.
interpreted liberally in favor of the data subject 3. Right to Access: Reasonable access to the contents
and only apply to the minimum extent necessary. of their data, sources, and names of recipients.
4. Right to Rectification: To dispute inaccuracies and
-------------------------------------------------------------------------------- have them corrected immediately.
II. The Taxonomy of Data: PI vs. SPI 5. Right to Erasure or Blocking: To order the
Understanding the distinction between these categories is removal of data that is false, outdated, or unlawfully
critical for determining the lawfulness of processing and the obtained.
severity of penalties. 6. Right to Data Portability: To obtain a copy of data
in a structured, electronic format for further use.
7. Right to Damages: Indemnification for sustained
1. Personal Information (PI): Any information from damages due to inaccurate or unauthorized data use.
which the identity of an individual is apparent or can
be reasonably and directly ascertained by the
entity holding it. --------------------------------------------------------------------------------
2. Sensitive Personal Information (SPI): This VI. Security and Accountability
category includes information about race, marital
status, age, religious/political affiliations, health, The 72-Hour Rule: The National Privacy
education, and genetic/sexual life. It also includes Commission (NPC) and affected subjects must be
government-issued IDs (e.g., SSS, tax returns) and notified within 72 hours of knowledge of a personal
anything specifically classified by an executive order data breach involving SPI or information that could
or act of Congress. enable identity fraud.
3. Privileged Information: Data which, under the PIC vs. PIP: A Personal Information Controller
Rules of Court, constitutes privileged
(PIC) controls the processing; a Personal
communication. The PIC may invoke this principle,
Information Processor (PIP) is a third party to
and evidence gathered from privileged information is
whom a PIC out-sources processing. The PIC remains
generally inadmissible.
accountable for data under its control, even if
transferred to a PIP. Contracts between PICs and PIPs
-------------------------------------------------------------------------------- are mandatory and must include specific security and
III. Core Principles of Data Processing confidentiality clauses.
All processing must adhere to three "Pillars":
--------------------------------------------------------------------------------
Transparency: The data subject must be aware of VII. Penalties and Liabilities
the nature, purpose, and extent of processing,
including risks and safeguards. Unauthorized Processing: Imprisonment (1-3
Legitimate Purpose: The purpose must be years for PI; 3-6 years for SPI) and heavy fines.
declared, specified, and not contrary to law, morals, Access due to Negligence: Penalties apply if
or public policy.
unauthorized access was granted because of a failure
Proportionality: Processing must be adequate, to secure the data.
relevant, and not excessive. Data should only be Large-Scale Violation: The maximum penalty is
processed if the purpose cannot reasonably be
imposed if the data of at least 100 persons is
fulfilled by other means.
involved.
Public Officers: If the offender is a public officer,
-------------------------------------------------------------------------------- they face an additional penalty of disqualification
IV. Criteria for Lawful Processing
� from public office (term is double the criminal
penalty).
--------------------------------------------------------------------------------
VIII. Practice Legal Questions for Analysis
Question 1: Jurisdictional Reach An e-commerce company
based in Singapore processes the credit card details and
home addresses of 500 Philippine residents for orders
delivered to Manila. Does the Philippine National Privacy
Commission have jurisdiction over this Singaporean entity?
Analysis: Yes. Under Section 4 of the IRR, the Act
applies to entities outside the Philippines if the
processing relates to personal data about a
Philippine resident or if the entity has links to the
Philippines, such as carrying on business in the
country.
Question 2: Consent for Sensitive Data A hospital shares
the HIV-positive status of a patient with an insurance
company without the patient's written consent, claiming it is
"legally necessary" for processing a claim. Is this valid under
the DPA?
Analysis: Likely No. Health information is Sensitive
Personal Information (SPI). Processing SPI
generally requires specific consent unless it falls
under strict exceptions like medical treatment by a
practitioner or protection of rights in court. Routine
insurance processing usually requires specific,
informed consent.
Question 3: The Right to Erasure A former employee
demands that his former company delete all records of his
past performance reviews, claiming his "Right to Erasure"
because the data is "no longer necessary." Must the company
comply?
Analysis: No. While subjects have a right to erasure,
it is limited. Section 34(e) allows erasure if data is no
longer necessary for the purpose it was collected.
However, the company can retain it for the
establishment, exercise, or defense of legal
claims or for legitimate business purposes
consistent with industry standards.
Question 4: Breach Notification A bank discovers a
technical "security incident" where some account numbers
were visible to other logged-in users for 4 hours. No identity
fraud was reported. Does the bank have to notify the NPC?
Analysis: Yes, if the bank reasonably believes the
breach involves information that can enable identity
fraud and poses a real risk of serious harm to the
data subjects. The notification must occur within 72
hours of discovery.