DPA

Effective September 8, 2012

***IRR of DPA – effective September 9, 2016
Relevant jurisprudence – as of June 30, 2019
National Privacy Commission (NPC) Circulars – as of June 30, 2019
NPC Advisory Opinions – as of June 30, 2019

RA No. 10173
An act protecting individual personal information in information and communications systems in
the government and the private sector, creating for this purpose a national privacy commission,
and for other purposes

Personal data
Individual personal information

Processing – any operation or any set of operations performed upon personal information
including, but not limited to, the collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data
(DPA, Sec. 3 (j))
Example: recording of phone conversations “for compliance and quality control purposes”

Personal Data may be contained in –

 Information and communications system
 Refers to a system for generating, sending, receiving, storing or otherwise
processing electronic data messages or electronic documents and includes the
computer system or other similar device by or which data is recorded,
transmitted or stored and any procedure related to the recording, transmission
or storage of electronic data, electronic message, or electronic document. (Sec.
3 (f), DPA)
 Filing system
 Refers to any set of information relating to natural or juridical persons to the
extent that, although the information is not processed by equipment operating
automatically in response to instructions given for that purpose, the set is
structured, either by reference to individuals or by reference to criteria relating
to individuals, in such a way that specific information relating to a particular
person is readily accessible

Personal data is processed through –

Data processing systems

- Refer to the structure and procedure by which personal data is collected
and further processed in an information and communications system or
relevant filing system, including the purpose and intended output of the
processing (IRR, Rule 1, Sec. 3 (e))

Personal Information Controllers (PIC) and

Personal Information Processors (PIP)

Data Subject
- Gives consent to process
PIC
- Decides what to collect, for what, how much, and instructs processing
- May invoke privileged nature of privileged communication in his lawful
control
- Excludes individual who collects and uses personal information for personal,
family or household affairs
PIP
 - Outsourced employees
- Processes PI on behalf of PIC

Unlawful processing, access, disclosure of personal data (DPA, Secs. 25-33)

Violations Penalties
Unauthorized processing of PI Imprisonment: 1-3 years
Accessing due to negligence Fine: 500k-2M
Unauthorized processing of sensitive PI 3-6 years
Accessing due to negligence of persons 500k-4M
providing access without authorization
Improper disposal of PI (abandon in public 6months – 2years
area/trash) 100k-500k
Improper disposal of SPI 1-3years
100k-1M
Processing of PI for unauthorized purposes 1 year, 6 months to 5 years
500k – 1M
Processing of SPI for unauthorized purposes 2-7 years
200k-2M
Unauthorized access or intentional breach 1-3 years
(breaking into any system where PI and SPI 500k-2M
stored)
Concealment of security breaches 1 year, 6 months to 5 years
500k – 1M
Malicious disclosure by PIC or PIP of 1 year, 6 months to 5 years
unwarranted or false information relating to 500k – 1M
PI or SPI
Unauthorized disclosure by PIC or PIP of PI 1-3 years; 3-5 years
not covered by malicious disclosure 500k-1M; 2M
Combinations or series of acts defined above 3-6 years
1M-5M
Made possible through acts and omissions that threaten data privacy

Personal Data
- All types of personal information (IRR, Rule 1, Sec. 3 (j))

1. Personal Information (PI)

 Refers to any type of personal information, whether recorded in material form
or not
 From which the identity of an individual is apparent, or
 Can be ascertained reasonably and directly by the entity holding the
information, or
 Would directly and certainly identify an individual when put together with other
information (IRR of DPA, Rule 1, Section 3 (l))
 Examples
 Bank account number
 Gender
 Parents’ names
 Children’s names
 Full name, biometrics
 Address
 Birthdate
 Mobile no.
 Birthplace

2. Sensitive Personal Information (SPI

 Refers to personal information about a person’s –
  Any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the
sentence of any court in such proceedings
 PI issued by government agencies peculiar to an individual including, but
not limited to, social security numbers, previous or current health
records, licenses or their denials, suspension or revocation, and tax
returns
 PI specifically established by an executive order or an act of Congress to
be kept classified (IRR of DPA, Rule 1, Sec. 3 (t))
 Classified information by law
 Examples:
 Marital status
 Race, color, age, ethnic origin
 Health, education, genetic or sexual life
 Government-issued personal information, tax returns
 Criminal proceeding information
 Religious, philosophical, or political affiliations

3. Privileged Information
 Any and all forms of data which constitute privileged communication under
Rules of Court and laws
 i.e., privileged against compulsory disclosure (DPA, Sec. 3 (k))
 Examples:
 Privileged communication under Rules of Court
 Attorney-client
 Priest-penitent
 Husband-wife
 Physician-patient
 Journalists’ confidential sources (RA 53, as amended by RA 11458)
 Bank deposits (RA 1405)
 Statements on judicial proceedings, if relevant to the issue (Belen v.
People, G.R. No. 211120, 13 February 2017)
 Trade or industrial secrets (Chavez v. PCGG, 299 SCRA 744 (1998))
 State secrets regarding military and diplomatic matters (Chavez v.
PCGG)
 National security matters, intelligence information (Chavez)
 Classified law enforcement matters
 Prior to arrest
 Detention
 Prosecution of criminals

A. Privileged information under the Rules of Court

 DPA context: Privileged communication that relates to information about an
individual (NPC Advisory No. 2018-17)
 Under Rule 130, Section 24, 2019 Amendments to 1989 Revised Rules of
Evidence
Section 24. Disqualification by reason of privileged
communication[s]. – The following persons cannot testify as to
matters learned in confidence in the following cases:
(a) The husband or the wife, during or after the marriage,
cannot be examined without the consent of the other
as to any communication received in confidence by one
from the other during the marriage except in a civil case
by one against the other, or in a criminal case for a
crime committed by one against the other or the latter’s
direct descendants or ascendants.
 (b) An attorney or person reasonably believed by the client
to be licensed to engage in the practice of law cannot,
without the consent of the client, be examined as to
any communication made by the client to him or her, or
his or her advice given thereon in the course of, or with
a view to professional employment, nor can an
attorney’s secretary, her employer, concerning any fact,
the knowledge of which has been acquired in such
capacity, except in the following cases:
(c) A physician, psychotherapist or person reasonably
believed by the patient to be authorized to practice
medicine or psychotherapy cannot in a civil case,
without the consent of the patient, be examined as to
any confidential communication made for the purpose
of diagnosis or treatment of the patient’s physical,
mental or emotional condition, including alcohol or
drug addiction, between the patient and his or her
physician or psychotherapist. This privilege also applies
to persons, including member of the patient’s family,
who have participated in the diagnosis or treatment of
the patient under the direction of the physician or
psychotherapist.
A psychotherapist is:
a. A person licensed to practice medicine engaged
in the diagnosis or treatment of a mental or
emotional condition, or
b. A person licensed as a psychologist by the
government while similarly engaged.
(d) A minister, priest or person reasonably believed tto be
so cannot, without the consent of the affected person,
be examined as to any communication or confession
made to or any advice given by him or her, in his or her
professional character, in the course of discipline
enjoined by the church to which the minister or priest
belongs.
(e) A public officer cannot be examined during or after his
or her tenure as to communications made to him or her
in official confidence, when the court finds that the
public interest would suffer by the disclosure.

The communication shall remain privileged, even in the hands

of a third person who may have obtained the information,
provided that the original parties to the communication took
reasonable precaution to protect its confidentiality.

B. Privileged information under laws

Privileged information Description

Bank deposits under RA All Philippine bank deposits are of an
1405 as amended Secrecy absolutely confidential nature and may
of Bank Deposits Law not be examined by any person except
upon depositor’s written permission, or
in impeachment cases, or upon court
order in cases of bribery or dereliction of
duty of public officials, or where the
money deposited is subject matter of
litigation
 Trade secrets/undisclosed Plan, process, tool, mechanism,
information under the IP compound known only to owner and
Code employees with legitimate need to
know; secret process or formula not
patented known only to owner;
specialized customer list. (Air Philippines
Corp. v. Pennswell, 299 SCRA 744 (2007))
Journalists’ confidential Media practitioners cannot be compelled
sources under RA 53, as to reveal the source of any news item,
amended by RA 11458 report or information reported by them,
which was related in confidence to them
unless the court or he House of
Representatives or the Senate or any
committee of Congress finds that such
revelation is demanded by the security
of the State

DPA Context: Privileged communication that relates to information about an individual (NPC
Advisory No. 2018-17)

DPA, Section 5
Sec. 5. Protection Afforded to Journalists and Their Sources. – Nothing in this Act shall be
construed as to have amended or repealed the provisions of RA No. 53, which affords the
publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of
general circulation, protection from being compelled to reveal the source of any news report or
information appearing in said publication which was related in any confidence to such publisher,
editor, or reporter.

Difference in treatment of PI and SPI/Priv Info

PI SPI
Sec. 12. Criteria for lawful processing of Sec. 13. Sensitive Personal Information and
personal information. – The processing of Privileged Information. – The processing of
personal information shall be permitted only sensitive personal information and privileged
if not otherwise prohibited by law, and when information shall be prohibited, except in the
at least 1 of the following conditions exists: following cases:
(a) The data subject has given his or her (b) The data subject has given his or her
consent; xxx consent … or in the case of privileged
information, all parties to the
exchange have given their consent
prior to processing; xxx

PI
- GR: Permitted
- Conditions:
1. Not prohibited by law
2. Consent by data subject (1 of the other conditions)
SPI/PrivInfo
- GR: Prohibited
- XPN: Consent by data subject, other conditions

To summarize:
DPA protects –
 - Personal information
- Sensitive personal information
 PI and SPI – Personal data identifying an individual
- Privileged information
 Any and all forms of data which constitute privileged communication [and relate
to information about individuals]

DPA protects against:

- Unlawful processing, access, disclosure of personal data (DPA, Sec. 25-33)
- Penalizing the violators with imprisonment and fines

Who are liable for violations of the DPA?

Sec. 34. Extent of Liability. – If the offender is a corporation, partnership or any juridical
person, the penalty shall be imposed upon the responsible officers, as the case may be,
who participated in, or by their gross negligence, allowed the commission of the crime.
If the offender is a juridical person, the court may suspend or revoke any of its rights
under this Act. If the offender is an alien, he or she shall, in addition to the penalties
herein prescribed, be deported without further proceedings after serving the penalties
prescribed. If the offender is a public official or employee and he or she is found guilty
of acts penalized under Sections 27 and 28 of this Act, he or she shall, in addition to the
penalties prescribed herein, suffer perpetual or temporary absolute disqualification
from office, as the case may be.

Out of scope of the DPA

Sec. 4. Scope. – This Act applies to the processing of all types of personal information xxx.

This Act does not apply to the following: xxx

[“Special Cases” under IRR, Rule II, Sec. 5]

Section 5. Special Cases. The Act and these Rules shall not apply to the following
specified information, only to the minimum extent of collection, access, use, disclosure
or other processing necessary to the purpose, function, or activity concerned:

DPA does not apply* to [PI pertaining to] –

 Information processed to allow public access to information within matters of
public concern
 Services performed by individual under government contract, including
name and contract terms
 Position or function of government officer or employee
 Relating to government license or permit granted to individual
 Name on document prepared in the course of government employment; title,
office address and contact number; salary range, responsibilities
 Name of individual, financial benefit conferred upon him at government’s
discretion, except benefits in ordinary course of transaction or as a matter of
right
 PI processed for journalistic, artistic, and literary and research purpose, to
uphold freedom of expression, speech, press
 PI intended for research purpose intended for public benefit; artistic and
research purposes; no activity or decision taken regarding data subject
 PI necessary for banks to comply with CISA (Credit Information System Act, RA
9510) and AMLA (Anti-Money Laundering Act, RA 9160)
 PI necessary to carry out functions of public authority including independent
central monetary authority
 PI originally collected from residents of foreign jurisdictions in accordance with
their laws, which is being processed in Philippines
 *Non-applicability does not extend to PICs and PIPs – remain subject to DPA
*Processing exempt from DPA only to minimum extent necessary to achieve
specific purpose, function or activity

IRR, Rule II, Section 5: Out-of-scope “Special Cases”

Section 5. Special Cases. The Act and these Rules shall not apply to the following
specified information, only to the minimum extent of collection, access, use, disclosure
or other processing necessary to the purpose, function, or activity concerned:

xxx
e. Information necessary for banks, other financial institutions under the jurisdiction of
the independent, central monetary authority or Bangko Sentral ng Pilipinas, and other
bodies authorized by law, to the extent necessary to comply with RA No. 9510 (CISA),
RA 9160, as amended, otherwise known as the Anti-Money Laundering Act, and other
applicable laws;

“Special Cases”: Example (RA 9510, CISA) – DPA does not apply XPN PIC PIP

“Basic Credit Data”

 Refers to positive and negative information provided by a borrower to a
submitting entity in connection with the application for and availment of a
credit facility and any information on the borrower’s creditworthiness in the
possession of the submitting entity and other factual and objective information
related or relevant tthereto in the submitting entity’s data files or that of other
sources of information xxx
xxx
Section 4. Establishment of the Credit Information System. – In furtherance of the policy
set forth in Section 2 of this Act, a credit information system is hereby established.

(a) Banks, quasi-banks, their subsidiaries and affiliates, life insurance companies, credit
card companies and other entities that provide credit facilities are required to
submit basic credit data and updates thereon on a regular basis to the [Credit
Information Corporation].
xxx
Section 6. Confidentiality of Credit Information. – The corporation, the submitting
entities [banks] xxx shall hold the credit information under strict confidentiality and shall
use the same only for the declared purpose of establishing the creditworthiness of the
borrower. xxx

Pursuant to the DPA and IRR, Rule 2:

Section 5. Special Cases. The Act and these Rules shall not apply to the following
specified information, only to the minimum extent of collection, access, use, disclosure
or other processing necessary to the purpose, function, or activity concerned: xxx

Provided, that on non-applicability of the Act or these Rules does not extend to personal
information controllers or personal information processors, who remain subject to the
requirements of implementing security measures for personal data protection xxx.

“Special Cases”: Example (RA 9160, AMLA as amended) – DPA does not apply – XPN PIC PIP

Section 9. Prevention of Money Laundering; customer Identification Requirements and

Record Keeping. –
 a) xxx
b) xxx
c) Reporting of Covered and Suspicious Transactions. – Covered persons shall
report to the AMLC all covered transactions and suspicious transactions within
five (5) working days from occurrence thereof, unless the AMLC prescribes a
different period not exceeding fifteen (15) working days.

2018 IRR, AMLA, as amended: “Covered Transaction” refers to:

(1) A transaction in cash or other equivalent monetary instrument exceeding
Five Hundred Thousand Pesos (Php500,000.00)
(2) A transaction with or involving jewelry dealers, dealers in precious metals
and dealers in precious stones in cash or other equivalent monetary
instrument exceeding One Million Pesos (Php1,000,000.00).
(3) A casino cash transaction exceeding Five Million Pesos (Php5,000,000.00) or
its equivalent in other currency.

Claiming non-applicability of the DPA

IRR, Rule II, Section 6

Section 6. Protection afforded to Data Subjects.

xxx
b. The burden of proving that the Act and these Rules are not applicable to a particular
information falls on those involved in the processing of personal data or the party
claiming the non-applicability.
c. In all cases, the determination of any exemption shall be liberally interpreted in favor
of the rights and interests of the data subject.

Publicly available personal data

Subject to protection under the DPA?
Or free for further use by anyone, e.g., profiling?

1. IRR, Section 5 (Special Cases) does not include publicly available personal data
2. The DPA does not say that publicly available personal data may be used by anyone
for whatever purpose.
3. No blanket authority from the data subject to use her personal data for whatever
purpose by reason alone of posting

Therefore, consent of the data subject to use her personal data is still required. (NPC
Advisory Opinion No. 2017-41)

Free to use for profiling?

Profiling
 Any form of automated processing of personal data consisting of the use of
personal data to evaluate certain personal aspects relating to a natural person,
in particular to analyze or predict aspects concerning that natural person’s
performance at work, economic situation, health, personal preferences,
interests, reliability, behavior, location or movements. (IRR, Section 3 (p))

1. A data subject has a right to be informed whether personal data pertaining to

him or her shall be, are being, or have been processed, including the existence
of automated decision-making and profiling. (IRR, Sec. 34 (a))
 2. The data subject shall have the right to object to the processing of his or her
personal data, including processing for direct marketing, automated processing
or profiling. (IRR, Sec. 34 (b))
3. The PIC must notify the NPC when automated processing becomes the sole
basis for making decisions about a data subject, and when the decision would
significantly affect the data subject. (IRR, Sec. 48)

Not free to use for profiling

DPA does not specifically penalize theft, alteration, corruption of personal data – but PIC
responsible for preventing them (DPA, Sec. 20)

Section 20. Security of Personal Information. –

(a) The personal information controller must implement reasonable and
appropriate organizational, physical and technical measures intended for
the protection of personal information against any accidental or unlawful
destruction, alteration and disclosure, as well as against any other unlawful
processing.
(b) The personal information controller shall implement reasonable and
appropriate measures to protect personal information against natural
dangers such as accidental loss or destruction, and human dangers such as
unlawful access, fraudulent misuse, unlawful destruction, alteration and
contamination.
(c) The determination of the appropriate level of security under this section
must take into account –
 The nature of the personal information to be protected
 The risks represented by the processing
 The size of the organization and complexity of its operations
 The larger the organization, the more incidents there
are: positive correlation between frequency of incidents
and organizational size. Source: “Cost of Insider Threat
(2020)” by Ponemon Institute
 Current data privacy best practices
 The cost of security implementation

Subject to guidelines as the Commission may issue from time to time, the measures
implemented must include:
(1) Safeguards to protect its computer network against accidental, unlawful or
unauthorized usage or interference with or hindering of their functioning or
availability;
(2) A security policy with respect to the processing of personal information;
(3) A process for identifying and accessing reasonably foreseeable
vulnerabilities in its computer networks, and for taking preventive,
corrective and mitigating action against security incidents that can lead to a
security breach; and
(4) Regular monitoring for security breaches and a process for taking
preventive, corrective and mitigating action against security incidents that
can lead to a security breach.

Security Measures under IRR-DPA: Privacy by Design

(1) Organizational
 Rule VI, Section 26
 Designate compliance officer (for privacy), data protection officer
 Group DPO – To NPC approval
  Implement Data Protection Policies; supervise employees; contracts with PIPs
ensure PIPs implement security measures
 Maintain records of processing activities; data retention schedule
(2) Physical
 Rule VI, Section 27
 Limiting access to room, work station or facility
 Office design and lay-out provides privacy to processing staff
 Security against natural disasters, power disturbance, external access
(3) Technical
 Rule VI, Section 28
 Security policy for processing personal data
 Safeguards to protect computer network against accidental, unauthorized,
unlawful use; ability to restore access to data
 Data encryption during storage, authentication process for access

(d) The personal information controller must further ensure that third parties
processing personal information on its behalf shall implement the security
measures required by this provision.

(e) The employees, agents or representatives of a personal information

controller who are involved in the processing of personal information shall
operate and hold personal information under strict confidentiality if the
personal information are not intended for public disclosure. This obligation
shall continue even after leaving the public service, transfer to another
position or upon termination of employment or contractual relations.

PIP - Subcontracting - PIC  Data Sharing - PIC

Continuing obligation of confidentiality

Training is very important

Subcontracting and Data Sharing must comply with

PIC shall be responsible for ensuring that proper safeguards are in place to –
 Ensure the confidentiality of the personal information processed
 Prevent its use for unauthorized purposes, and
 Generally, comply with the requirements of DPA and other laws for processing
of personal information
(Sec. 14, DPA)

Data Protection Officer and Compliance Officer

 Help the PIC to ensure compliance with the DPA

The DATA LIFE CYCLE

 Creation and collection
 Storage and transmission
 Usage and distribution
 Retention
 Disposal and destruction

Subcontracting (IRR, Rule X, Sec. 44)

Section 44. Agreements for Outsourcing. Processing by a personal information

processor shall be governed by a contract or other legal act that binds the
personal information processor to the personal information controller.
a. [Contents of outsourcing contract] The contract or legal act shall set out the
subject-matter and duration of the processing, the nature and purpose of
the processing, the type of personal data and categories of data subjects,
the obligations and rights of the personal information controller, and the
geographic location of the processing under the subcontracting agreement.

b. [Stipulation on PIP obligations] The contract or other legal act shall

stipulate, in particular, that the personal information processor shall:

1. Process the personal data only upon the documented instructions

of the personal information controller, including transfers of
personal data to another country or an international organization,
unless such transfer is authorized by law;

2. Ensure that an obligation of confidentiality is imposed on persons

authorized to process the personal data;

3. Implement appropriate security measures and comply with the

Act, these Rules, and other issuances of the Commission;

4. Not engage another processor without prior instruction from the

personal information controller: Provided, that any such
arrangement shall ensure that the same obligations for data
protection under the contract or legal act implemented, taking into
account the nature of the processing;

5. Assist the personal information controller, by appropriate technical

and organizational measures and to the extent possible, fulfill the
obligation to respond to requests by data subjects relative to the
exercise of their rights;

6. Assist the personal information controller in ensuring compliance

with the Act, these Rules, other relevant laws, and other issuances
of the Commission, taking into account the nature of processing and
the information available to the personal information processor;

7. At the choice of the personal information controller, delete or

return all personal data to the personal information controller
after the end of the provision of services relating to the processing;
Provided, that this includes deleting existing copies unless storage is
authorized by the Act or another law;

8. Make available to the personal information controller all

information necessary to demonstrate compliance with the
obligations laid down in the Act, and allow for and contribute to
audits, including inspections, conducted by the personal
information controller or another auditor mandated by the latter;

9. Immediately inform the personal information controller if, in its

opinion, an instruction infringes the Act, these Rules, or any other
issuance of the Commission.

Section 45. Duty of personal information processor. The personal information

processor shall comply with the requirements of the Act, these Rules, other
applicable laws, and other issuances of the Commission, in addition to
 obligation provided in a contract, or other legal act with a personal information
controller.

Other relevant principles or directive in the IRR:

1. A PIC is responsible for any personal data under its control or custody, including those
that have been outsourced or transferred to a PIP. (IRR, Section 50)
2. Using appropriate contractual agreements, a PIC should ensure that its PIPs also
implement the security measures required under the law. In fact, it must only deal with
PIPs that provide sufficient guarantees to implement such measures, and ensure the
protection of the rights of data subjects. (IRR, Section 26 (f); see also: IRR, Section 50
(a))
3. When registering its data processing system, a PIC must ensure that its registration
information indicates the recipients or categories of recipients (including personal
information processors) of the data involved (IRR, Section 47 (a) (4)), and where
applicable, whether the processing is being carried out pursuant to an outsourcing or
subcontracting agreement (IRR, Section 47 (a) (2)).
4. An outsourcing contract, subcontracting agreement, or any similar document, including
its implementation, is subject to the review of the Commission. (IRR, Section 49 ©)

Data Sharing (IRR, Rule IV, Section 20)

- The disclosure or transfer to a third party of personal data under the custody of a
personal information controller or personal information processor
- In the case of the latter, such disclosure or transfer must have been upon the
instructions of the personal information controller concerned.
- The term excludes outsourcing, or the disclosure or transfer of personal data by a
personal information controller to a personal information processor. (IRR, Section 3 (f))

Data Sharing: further use of personal data collected from another who is not the data subject
(IRR, Rule IV, Section 20)

Section 20. General Principles for Data Sharing. Further processing of Personal Data
collected from a party other than the Data Subject shall be allowed under any of the
following conditions:
a. Data sharing shall be allowed when it is expressly authorized by law: Provided,
that there are adequate safeguards for data privacy and security, and processing
adheres to principle of transparency, legitimate purpose and proportionality.
b. Data Sharing shall be allowed in the private sector if the data subject consents
to data sharing and the following conditions are complied with:
a. Consent for data sharing shall be required even when the data is to be
shared with an affiliate or mother company, or similar relationships;
b. Data sharing for commercial purposes, including direct marketing,
shall be covered by a data sharing agreement.
(a) The data sharing agreement shall establish adequate
safeguards for data privacy and security, and uphold rights
of data subjects.
(b) The data sharing agreement shall be subject to review by
the Commission, on its own initiative or upon complaint of
data subject;
c. The data subject shall be provided with the following information prior
to collection or before data is shared:
(a) Identity of the personal information controllers or personal
information processors that will be given access to the
personal data; [Note: unlike Section 34(a)(2)€, wherein it is
possible to refer to the recipients of the personal data by
their class]
 (b) Purpose of data sharing
(c) Categories of personal data concerned
(d) Intended recipients or categories of recipients of the
personal data
(e) Existence of the rights of data subjects, including the right
to access and correction, and the right to object;
(f) Other information that would sufficiently notify the data
subject of the nature and extent of data sharing and the
manner of processing.
d. Further processing of shared data shall adhere to the data privacy
principles laid down in the Act, these Rules, and other issuances of the
Commission.
c. Data collected from parties other than the data subject for purpose of
research shall be allowed when the personal data is publicly available, or has
the consent of the data subject for purpose of research; Provided, that
adequate safeguards are in place, and no decision directly affecting the data
subject shall be made on the basis of the data collected or processed. The rights
of the data subject shall be upheld without compromising research integrity.

PIC’s accountability for data transfer (IRR, Rule XII, Section 50)

Section 50. Accountability for Transfer of Personal Data. A personal information

controller shall be responsible for any personal data under its control or custody,
including information that have been outsourced or transferred to a personal
information processor or a third party for processing, whether domestically or
internationally, subject to cross-border arrangement and cooperation.
a. A personal information controller shall be accountable for complying
with the requirements of the Act, these Rules, and other issuances of
the Commission. it shall use contractual or other reasonable means to
provide a comparable level of protection to the personal data while it is
being processed by a personal information processor or third party.
b. A personal information controller shall designate an individual or
individuals who are accountable for its compliance with the Act. The
identity of the individual or individuals so designated shall be made
known to a data subject upon request.

When things go wrong…

Security incident
 An event or occurrence that affects or tends to affect data protection, or may
compromise the availability, integrity and confidentiality of personal data
 Includes incidents that would result to a personal data breach, if not for
safeguards that have been put in place

Personal data breach

 Breach of security leading to the
 accidental or unlawful destruction, loss, (availability breach)
 alteration of personal data, (integrity breach)
 unauthorized disclosure of, or access to, (confidentiality breach)
personal data transmitted, stored, or otherwise processed

Breach of personal data privacy

Data Privacy
- The right of an individual –
 Not to have private information about himself disclosed (informational)
  To live freely from surveillance and intrusion (decisional)

Right to privacy
- Right to be let alone (Morfe v. Mutuc, G.R. No. L-20387, 31 January 1968)
- Right to privacy felt in the physical space (locational or situational privacy) (Vivares v. St.
Theresa’s College, G.R. No. 202666, 29 September 2014)

Right to privacy under the Civil Code

Article 26. Every person shall respect the dignity, personality, privacy, and peace of
mind of his neighbors and other persons. The following and similar acts, though they
may not constitute a criminal offense, shall produce a cause of action for damages,
prevention and other relief:
(1) Prying into the privacy of another’s residence;
(2) Meddling with or disturbing the private life or family relations of another;
(3) Intriguing to cause another to be alienated from his friends;
(4) Vexing or humiliating another on account of his religious belief, lowly
station in life, place of birth, physical defect, or other personal condition

In case of security incidents and personal data breaches – Rule IX, Section 41, IRR:
- PIC must document all security incidents and personal data breaches through written
reports, including those not covered by the notification requirements.
- For security incidents not involving personal data, a report containing aggregated data
shall constitute sufficient documentation
- These reports shall be made available when requested by the Commission
- Submit annual report of summary of documented security incidents and data breaches

In case personal data breach is reasonably believed to have occurred –

(f) The personal information controller shall promptly notify the Commission and
affected data subjects when -
 Sensitive personal information or other information that may, under the
circumstances, be used to enable identity fraud are reasonably believed to have
been acquired by an unauthorized person, and
 The personal information controller or the Commission believes that such
unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject

What must notification contain?

DPA, Sec. 20 f; IRR, Rule IX, Sec. 39
The notification shall at least describe –
 Nature of the breach
 Sensitive personal information possibly involved; and
 Measures taken by entity to reduce the harm or negative consequences
of the breach
 Representatives of the personal information controller, including
contact details from whom data subject can obtain additional
information about breach

May the PIC delay or postpone notification?

DPA, Sec. 20 f
Notification may be delayed only to the extent necessary to –
 Determine scope of breach
 Prevent further disclosures, or
  Restore reasonable integrity to the information and communications
system

The Commission may authorize postponement of notification where it may hinder the
progress of a criminal investigation related to a serious breach.

May the PIC dispense with notification?

DPA, Sec. 20 f
(1) In evaluating if notification is unwarranted, the Commission may take into
account compliance by the personal information controller with this section
[Section 20*]
(2) The Commission may exempt a personal information controller from
notification where, it its reasonable judgment, such notification would not
be in the public interest or in the interests of the affected data subjects.
*requirement for reasonable and appropriate organizational, physical and technical measures
for protection of persona information against any accidental or unlawful destruction, alteration
and disclosure, unlawful processing

If notification is warranted, PIC must notify NPC

Section 30. Concealment of Security Breaches Involving Sensitive Personal
Information. – The penalty of imprisonment xxx and a fine xxx shall be imposed
on persons who, after having knowledge of a security breach and of the
obligation to notify the Commission pursuant to Section 20(f), intentionally or
by omission conceals the fact of such security breach.

If notification is warranted, PIC must notify NPC and data subjects –

 Within 72 hours upon knowledge of, or when there is reasonable belief by the
PIC or PIP that a personal data breach requiring notification has occurred

DPA and IRR

- Consent of Data Subject
 Type of personal information
 Type of transaction/activity
- DPA violations by PIC, PIP
- Personal Data Breach

Consent of data subject to processing of personal data

Consent of data subject

 Freely given, specific, informed indication of will, whereby the data subject
agrees to the collection and processing of personal information about and/or
relating to him or her.
 Consent shall be evidenced by written, electronic or recorded means.
 It shall be time-bound in relation to the declared, specified and legitimate
purpose
 It may also be given on behalf of the data subject by an agent specifically
authorized by the data subject to do so. (IRR, Rule 1, Sec. 3) – Special Power of
Attorney

Implied, implicit, or negative consent is not recognized under the DPA and its IRR . The
consent of data subject is required to be specific and evidenced through written,
electronic, or recorded means. Thus, it needs to be express and not subject to
 conjectures, based on assumptions, or ascertained by mere inference. (NPC Advisory
Opinion 2017-018)

If data subject is PIC’s cutomer or client, and processing of the latter’s personal data is
contingent on such relationship –
 Consent is “time-bound” if effectivity of the consent is coterminous with the of
the relationship
 PIC cannot solely determine duration of consent
 Consent required is that of data subject, not that of the PIC (NPC Advisory
Opinion 2017-018)

The website of an online retailer provides the following option for consumers
purchasing products through the website: “I hereby agree to any future legitimate use
of my personal data for the business.” The consumer can simply tick this option before
proceeding to place her order. Is this consent valid?

No.

The consent is not valid because it is perpetual, determined only by the personal
information controller, not time-bound in relation to a declared, specified, and
legitimate purpose. This is contrary to the General Principles in data processing
(IRR of the DPA, Sec. 19).

In this case, “any future legitimate purpose” is not specific enough to inform the
data subject about how her data will be used and for what purpose.

Hence, it is not a valid consent.

A hotel website contains the following statement in its Privacy Notice: “Your
continued use of our website shall be deemed to mean consent to our use of
your personal data which we may collect in the course of your visit to this
website.” Is this consent valid?

No.

Implied, implicit, or negative consent is not recognized under the DPA and its
IRR. The consent of a data subject is required to be specific and evidenced
through written, electronic, or recorded means, not based on assumption or
inference. It must be freely given, specific, and an informed indication of will.
(Sec. 3(b)) The purpose for the collection of personal data must be specific and
legitimate, and determined nd declared before, or as soon as reasonably
practicable after collection.

In this case, no purpose was declared to the data subject and the grant of
consent was implied.

Hence, the consent is not valid.

How does the law protect personal information?

Section 4. Scope. – This Act applies to the processing of all types of personal information
and to any natural and juridical person involved in personal information processing xxx

Extraterritorial application of DPA

(DPA, Sec. 6; IRR, Rule II, Sec. 4)
 Section 4. Scope. The Act and these Rules apply to the processing of personal data by
any natural and juridical person in the government or private sector. They apply to an
act done or practice engaged in and outside of the Philippines, if:
a. The natural or juridical person involved in the processing of personal
data is found or established in the Philippines;
b. The act, practice or processing relates to personal data about a
Philippine citizen or Philippine resident;
c. The processing of personal data is being done in the Philippines; or
d. The act, practice or processing of personal data is done or engaged in by
an entity with links to the Philippines, with due consideration to
international law and comity, such as, but not limited to, the following:
1. Use of equipment located in the country, or maintains an office,
branch or agency in the Philippines for processing of personal
data;
2. A contract is entered in the Philippines;
3. A juridical entity unincorporated in the Philippines but has
central management and control in the country;
4. An entity that has a branch, agency, office or subsidiary in the
Philippines and the parent or affiliate of the Philippine entity
has access to personal data;
5. An entity tha carries on business in the Philippines;
6. An entity that collects or holds personal data in the Philippines.

A foreign entity, whether it is a parent or an affiliate of a Philippine company, is covered

by the DPA – including its provision on breach notification – only if it is engaged in the
processing of the personal data of Filipino citizens or Philippine residents, and/or has an
established link to the Philippines. (NPC Advisory Opinion No. 17-018)

How does the law protect personal information?

3. Recognizing and enforcing the rights of the Data Subject (Section 16, DPA)
 The right to be informed
 The right to access
 The right to object
 The right to erasure or blocking
 The right to damages
 The right to file a complaint
 The right to rectify – any false or incorrect data held by the PIC or PIP
 The right to data portability – going to the bank and downloading data to thumb
drive

Data subject’s rights protected throughout data life cycle

- Creation and collection
- Storage and transmission
- Usage and distribution
- Retention
- Disposal and destruction

In relation to Sec. 38, DPA

Section 38. Interpretation. – Any doubt in the interpretation of any provision of this Act
shall be liberally interpreted in a manner mindful of the rights and interests of the
individual about whom personal information is processed.

Section 16 (a), (b): Right to be informed – through PRIVACY NOTICE

(a) Be informed whether personal information pertaining to him or her shall be, are being
or have been processed;
 (b) Be furnished the information indicated hereunder before the entry of his or her
personal information into the processing system of the personal information controller,
or at the next practical opportunity: xxx (PRIVACY NOTICE)
(1) Description of the personal information to be entered into the system;
[WHAT]
(2) Purposes for which they are being or are to be processed [WHY]
(3) Scope and method of the personal information processing [HOW]
(4) The recipients or classes of recipients to whom they are or may be disclosed
[GIVEN TO WHOM]
(5) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized [HOW TO ACCESS
AUTOMATICALLY]
(6) The identity and contact details of the personal information controller or its
representative [PIC?]
(7) The period for which the information will be stored [KEPT HOW LONG?]
(8) The existence of their rights, i.e., to access, correction, as well as the right to
lodge a complaint before the Commission. [WHAT RIGHTS?]

Example: Privacy Notice of Globe Telecomm

Privacy Policy
Information we collect and use
Profiling and automated decision-making
Information we share
How we protect your information
How long we keep your information
Your rights as a data subject
How to reach us

Any information supplied or declaration made o the data subject on these matters shall
not be amended without prior notification of data subject:
Provided, That the notification under subsection (b) [e.g., PI to be collected,
purpose for collection, classes of recipients] shall not apply should the personal
information be needed –
 Pursuant to a subpoena or
 When the collection and processing are for obvious purposes, including
when it is necessary for the performance of or in relation to a contract
or service or
 When necessary or desirable in the context of an employer-employee
relationship, between the collector and the data subject, or
 When the information is being collected and processed as a result of
legal obligation; [consistent with the criteria for lawful process of
personal information under Sec. 12, DPA]

Criteria for lawful processing

(DPA, Section 12)
Processing of personal information is allowed, only if not otherwise prohibited by law,
and –
 With consent of data subject (DS); or
 Necessary processing relates to:
 Fulfilling contract with data subject
 Taking steps at data subject’s request prior to contracting
 PIC’s compliance witth legal obligation
 Protect vitally important interests of DS – life and health
 Respond to national emergency
  Comply with public order and safety requirements
 Fulfill constitutional/statutory mandate of public authority, or
 Pursue legitimate interests of PIC or a third party to whom data is
disclosed, but need to balance with Constitutional freedoms of data
subject

Sec. 16 (a) (b): Right to be informed

IRR, Rule VIII, Section 34 (b): Right to object
b. Right to object. The data subject shall have the right to object to the
processing of his or her personal data, including processing for direct marketing,
automated processing or profiling.

The data subject shall also be notified and given an opportunity to

withhold consent to the processing in case of changes or any
amendment to the information supplied or declared to the data subject
in the preceding paragraph. [i.e., information declared to data subject
pursuant to the right to be informed under the DPA, Sec. 16 (a) and (b))

When a data subject objects or withholds consent, the personal information controller
shall no longer process the personal data, unless:
1. The personal data is needed pursuant to a subpoena
2. The collection and processing are for obvious purposes, including, when it is
necessary for the performance of or in relation to a contract or service to
which the data subject is a party, or when necessary or desirable in the
context of an employer-employee relationship between the collector and
the data subject; or
3. The information is being collected and processed as a result of a legal
obligations. [consistent with criteria for lawful processing of PI under DPA,
Sec. 12]

Sec. 16 (c): Right to access

(c) Reasonable access to, upon demand, the following:
(1) Contents of his or her personal information that were processed
(2) Sources from which personal information were obtained
(3) Names and addresses of recipients of the personal information
(4) Manner by which such data were processed
(5) Reasons for the disclosure of the personal information to recipients
(6) Information on automated processes where the data will or likely to be made as the
sole basis for any decision significantly affecting or will affect the data subject
(7) Date when his or her personal information concerning the data subject were last
accessed and modified; and
(8) The designation, or name or identity and address of the personal information
controller;

Sec. 16 (d): Right to rectify

(d) Dispute the inaccuracy or error in the personal information and have the personal
information controller correct it immediately and accordingly, unless the request is
vexatious or otherwise unreasonable. If the personal information have been corrected,
the personal information controller shall ensure the accessibility of both the new and
the retracted information and the simultaneous receipt of the new and retracted
information by recipients thereof: Provided, That the third parties who have previously
received such processed personal information shall be informed of its inaccuracy and its
rectification upon reasonable request of the data subject;

Sec. 16 (e): Right to erasure or blocking

 (e) Suspend, withdraw or order the blocking, removal or destruction of his or her personal
information with the personal information controller’s filing system upon discovery and
substantial proof that the personal information are incomplete, outdated, false,
unlawfully obtained, used for unauthorized purposes or are no longer necessary for the
purposes for which they were collected. In this case, the personal information controller
may notify third parties who have previously received such processed personal
information

IRR, Rule VIII, Section 34:

This right may be exercised upon discovery and substantial proof of any of the following:
(a) The personal data is incomplete, outdated, false, or unlawfully obtained;
(b) The personal data is being used for purpose not authorized by the data
subject
(c) The personal data is no longer necessary for the purposes for which they
were collected
(d) The data subject withdraws consent or objects to the processing and there
is no other legal ground or overriding legitimate interest for the processing;
(e) The personal data concerns private information that is prejudicial to data
subject, unless justified by freedom of speech, of expression, or of the press
or otherwise authorized
(f) The processing is unlawful
(g) The personal information controller or personal information processor
violated the rights of the data subject

Sec. 16 (f): Right to damages

(f) Be indemnified for any damages sustained due to such inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal information
 Taking into account any violation of his or her rights and freedoms as data
subject (IRR, Rule VIII, Sec. 34)

Sec. 18: Right to data portability

Sec. 18. Right to Data Portability. – The data subject shall have the right, where personal
information is processed by electronic means and in a structured and commonly used
format, to obtain from the personal information controller a copy of data undergoing
processing in an electronic or structured format, which is commonly used and allows for
further use by the data subject. The Commission may specify the electronic format
referred to above, as well as the technical standards, modalities and procedures for
their transfer.

IRR, Rule VIII, Sec. 36

The exercise of this right shall primarily take into account he right of data subject to
have control over his or her personal data being processed based on consent or
contract, for commercial purpose, or through automated. Means.

Transmissibility of Rights of Data Subject

(DPA, Rule, Section 17)
The lawful heirs and assigns of the data subject may invoke the rights of the data subject
for, which he or she is an heir or assignee at any time after the death of the data subject
or when the data subject is incapacitated or incapable of exercising the rights as
enumerated in the immediately preceding section.

Non-applicability of Data Subject Rights

Sec. 19. Non-applicability. – The immediately preceding sections* (Section 18. Right to
Data Portability, Sec. 17 (Transmissibility of rights of data subject) are not applicable if
the processed personal information are used only for the needs of scientific and
 statistical research and, on the basis of such, no activities are carried out and no
decisions are taken regarding the data subject: Provided, That the personal information
shall be held under strict confidentiality and shall be used only for the declared purpose.
Likewise, the immediately preceding sections are not applicable to processing of
personal information gathered for the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data subject.

IRR, Rule VIII, Sec. 37

Any limitations on the rights of the data subject shall only be to the minimum

Providing principles and standards for processing of personal information

a. General Data Privacy Principles (DPA, Sec. 11)
 Transparency
 Data subject is informed of –
 Nature, specific and legitimate purpose, extent of data
processing
 Risks, safeguards, identity of PI Controller
 Rights and how exercised, and
 Information and communication easy to access and understand
 Legitimacy
 Consent required prior to collection and processing
 Processing compatible with declared purpose
 Purpose not contrary to law, morals, public policy
 PI is accurate, relevant, up to date, rectify or restrict processing
if inaccurate
 Proportionality
 Processing is –
 Fair and lawful; adequate, relevant, suitable, necessary
 Not excessive in relation to specified purpose
 Purpose cannot be fulfilled by other means

General principles in collection, processing and retention (IRR, Rule IV, Sec. 19)
 Collection: for declared, specified, and legitimate purpose
 Processing: fair, lawful, ensure data quality
 Personal data not retained longer than necessary
 Authorized further processing: with adequate safeguards
 Only personal data that is necessary and compatible with declared, specified, and
legitimate purpose shall be collected

Retention and further use of personal data?

(IRR, Rule IV, Sec. 19)
Any authorized further processing shall have adequate safeguards
1. Personal data originally collected for a declared, specified, or legitimate
purpose may be processed further for historical, statistical, or scientific
purposes, and in cases laid down in law, may be stored for longer periods,
subject to implementation of the appropriate organizational, physical, ,and
technical security measures required by the Act in order to safeguard the
rights and freedoms of the data subject
2. Personal data which is aggregated or kept in a form which does not permit
identification of data subjects may be kept longer than necessary for the
declared, specified, and legitimate purpose
 3. Personal data shall not be retained in perpetuity in contemplation of a
possible future use yet to be determined. [so determine a legitimate
business purpose for retention in order for retention to be permitted]

(IRR, Rule IV, Sec. 19)

The provision pertains to the authorized further processing and the retention of
personal data that have already been transformed into an aggregated or anonymized
state. What were previously considered personal data have been rendered anonymous,
such that the data may no longer be associated or traced back to a specific person or
individual.

In relation to deletion, we believe that a data subject no longer has any right to erasure,
as provided under Section 34(e) of the IRR, if the data concerned has already been
aggregated or anonymized.

Since anonymized data refers to data or information that may not be traced back to a
particular person or individual, they do not constitute personal data, as defined by the
IRR. Accordingly, given that a data subject may only assert his or her rights under the
DPA relative to his or her personal data, he or she may not invoke or exercise such rights
in relation to other types of data, including anonymized data.

Legitimate interest of PIC or third party

Purpose Test
 Legitimate interest clearly established?
 [matters desired by/important to PIC/third party not contrary to law,
morals, public policy – business, financial, other reasonable purpose]
 What does the particular processing seek to achieve
 E.g., personal investigations, public announcement of terminated
employees, verification of facts, posting of cases in DOJ website, tracing
location of missing family members
Necessity Test
 Processing necessary for the purpose of legitimate interest?
 Adequate, relevant, suitable, necessary, not excessive
 No other means of reasonably fulfilling purpose?
Balancing Test
 Fundamental rights and interest of data subject must not be overridden by the
legitimate interest of the PIC/third party