September 28, 2024

R.A. No. 10173 or the Data Privacy Act | Privacy of Communications and
Correspondence | THE BILL OF RIGHTS
POLITICAL LAW AND PUBLIC INTERNATIONAL LAW
R.A. No. 10173 or the Data Privacy Act of 2012
The Data Privacy Act of 2012 (Republic Act No. 10173) is the primary law in the
Philippines that governs the collection, processing, and storage of personal data in
both the public and private sectors. It is a comprehensive law designed to protect
the privacy of individuals and ensure the free flow of information to promote
innovation and growth. The law applies to all forms of personal data, whether in
physical or digital form, and establishes various rights for data subjects and
obligations for data controllers and processors. Here's a detailed breakdown of the
key aspects related to the Act:

I. Objectives of the Data Privacy Act

Protect the Fundamental Human Right to Privacy: The Data Privacy Act upholds the
right to privacy of communication and correspondence as enshrined in Section 3(1),
Article III of the Philippine Constitution, which protects the privacy of communication
from unlawful intrusion.

Regulate the Collection, Use, and Processing of Personal Data: It seeks to regulate
how personal data is collected, used, stored, disclosed, and disposed of, ensuring
that individuals’ personal data is not misused or unlawfully disclosed.

Ensure Data Security: The law emphasizes the importance of maintaining security in
handling personal information, particularly against unauthorized access,
modification, or destruction.

II. Scope of the Data Privacy Act

Territorial Scope: The Data Privacy Act applies to both government and private
sector entities located within the Philippines that process personal data. It also
applies to entities outside the Philippines if they use equipment located in the
country or process the personal data of Philippine citizens and residents.

Entities Covered:
Personal Information Controllers (PIC): These are entities that control the processing
of personal data, such as corporations, organizations, or individuals.
Personal Information Processors (PIP): These are entities or individuals that process
data on behalf of PICs.
Exclusions: The Act does not apply to the following:

Personal, family, or household activities.

Journalistic, artistic, literary, or research purposes.
Information about government officials in relation to their official functions.
Data processed for the national security, public order, and safety of the country.
Law enforcement, if duly authorized under existing laws.
III. Key Definitions Under the Data Privacy Act
Personal Data: Information, whether recorded or not, from which the identity of an
individual can be reasonably and directly ascertained or, when put together with
other information, would make an individual identifiable.

Sensitive Personal Information: Information related to an individual's race, ethnic

origin, marital status, age, health, education, genetic or sexual life, government-
issued identifiers (such as social security number), and financial data.

Privileged Information: Any and all forms of data that are considered privileged
under existing laws (e.g., attorney-client communications).

IV. Data Privacy Principles

The Act imposes a set of principles that data controllers and processors must
adhere to when handling personal data:

Transparency: Personal data processing must be fully transparent to the data

subject. The data subject must be aware of how, why, and what personal data is
being processed.

Legitimate Purpose: The data collected must be for a legitimate purpose that is
clearly communicated to the data subject, and the data must be processed in a
manner compatible with that purpose.
Proportionality: Only personal data that is necessary for the declared purpose
should be collected, and it should not be retained longer than necessary.

V. Rights of Data Subjects

The Data Privacy Act grants individuals specific rights concerning their personal
data:

Right to Be Informed: Individuals have the right to be informed whether their

personal data is being processed, including the purpose of such processing, the
data being collected, and other related information.

Right to Access: Data subjects have the right to access the personal data being held
about them and be informed about how this data has been processed.

Right to Rectification: If the data subject finds inaccuracies in their personal data,
they have the right to have it corrected without undue delay.

Right to Erasure or Blocking: Data subjects can demand the deletion or blocking of
their personal data if it is unlawfully processed or if it is no longer necessary for the
purpose for which it was collected.

Right to Object: Individuals can object to the processing of their personal data,
especially for purposes such as direct marketing or profiling.

Right to Data Portability: Data subjects have the right to receive a copy of their data
in a structured, commonly used, and machine-readable format.

Right to File a Complaint: The data subject can lodge a complaint with the National
Privacy Commission (NPC) in case of a violation of their privacy rights.

Right to Damages: Individuals are entitled to claim compensation for any damage
caused by the unlawful processing of their personal data.
VI. Obligations of Personal Information Controllers (PIC) and Personal Information
Processors (PIP)
Compliance with Data Privacy Principles: PICs and PIPs must strictly comply with the
principles of transparency, legitimate purpose, and proportionality when processing
personal data.

Implementation of Security Measures: Entities must implement reasonable and

appropriate organizational, physical, and technical measures to secure personal
data against breaches, unauthorized access, and other risks.

Notification of Data Breach: In case of a breach of personal data, the PIC must
inform the NPC and the affected data subjects within 72 hours of discovering the
breach.

Appointment of a Data Protection Officer (DPO): Every entity processing personal

data is required to appoint a Data Protection Officer who ensures compliance with
the law and manages data protection issues.

Data Processing Agreement: Where a PIC contracts with a PIP for data processing, a
contract ensuring compliance with data privacy standards must be executed
between the parties.

VII. Security Measures and Breach Notification

The Data Privacy Act outlines stringent security measures to safeguard personal
data. These include:

Organizational Security: Establishing clear policies and procedures for data

management and protection, and ensuring that employees handling personal data
are adequately trained.

Physical Security: Implementing access controls to prevent unauthorized physical

access to personal data storage facilities, whether on-premises or remote.

Technical Security: Employing measures such as encryption, secure storage, and

access control to protect personal data in electronic form.
Data Breach Notification: If a breach occurs, the PIC must notify the NPC and
affected individuals if the breach is likely to affect their rights and freedoms. This
notification should include the nature of the breach, the personal data involved, and
actions taken to mitigate the breach.

VIII. Enforcement and Penalties

The law grants the NPC powers to investigate and enforce compliance with the Act.
Violators of the Data Privacy Act face civil, criminal, and administrative liabilities:

Criminal Penalties: The Act provides for imprisonment of up to six (6) years and
fines of up to five million pesos (₱5,000,000) for violations such as unauthorized
processing, accessing, or disclosing personal data, and concealment of breaches.

Administrative Penalties: The NPC can impose administrative fines and sanctions,
such as revoking or suspending licenses, depending on the gravity of the violation.

Civil Liability: Data subjects who suffer damages due to non-compliance with the Act
may seek compensation.

IX. Role of the National Privacy Commission (NPC)

The National Privacy Commission is the primary enforcement body under the Data
Privacy Act. Its roles include:

Monitoring Compliance: Ensuring that entities comply with the Data Privacy Act and
its implementing rules and regulations.

Adjudicating Complaints: Handling complaints filed by data subjects and imposing

penalties for violations.

Issuing Guidelines: Issuing rules, guidelines, and advisory opinions to clarify the
application of the Data Privacy Act.

X. Relationship with the Constitution and the Bill of Rights

The Data Privacy Act of 2012 operationalizes the constitutional guarantee under
Article III, Section 3 of the 1987 Constitution, which provides for the privacy of
communication and correspondence. The Act complements this constitutional right
by regulating the collection, processing, and management of personal data in
modern information systems, providing a legal framework that balances the
individual's right to privacy with the demands of technological and economic
advancement.

Conclusion
R.A. No. 10173, the Data Privacy Act of 2012, is a comprehensive legislative
measure aimed at protecting individuals' personal data from misuse while ensuring
that the free flow of information is not unduly restricted. The law’s extensive
provisions on data subject rights, data controller and processor obligations, security
measures, and breach notification reflect the country’s commitment to protecting
privacy in the digital age. Compliance with this law is vital for both public and
private entities that handle personal information, and the enforcement powers
granted to the National Privacy Commission ensure that individuals’ rights are
adequately protected.