Module 6: DATA PRIVACY ACT OF 2012

1. What is The Data Privacy Act of the Philippines?

- Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to protect all
forms of information, be it private, personal, or sensitive. It is meant to cover both natural and
juridical persons involved in the processing of personal information.
- The Data Privacy Act (DPA), or Republic Act No. 10173 was passed by the Philippines Congress in
2012 and finally implemented five years later in 2016. RA 10173 assures the "free flow of
information to promote innovation and growth"(Republic Act. No. 10173, Ch. 1, Sec. 2) while
protecting the users’ fundamental rights to privacy.

2. What is the state policy

- It is the policy of the State to protect the fundamental human right of privacy, of communication
while ensuring free flow of information to promote innovation and growth, and national
development.
- The State recognizes the vital role of information and communications technology in
nation-building and its inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured and protected.

3. How is it implemented?
- RA 10173 protects and maintains the right of customers to confidentiality by setting a legal list of
rules for companies to regulate the collection, handling, and disposal of all personal information.
Companies are legally responsible for keeping their customers' data protected from third parties
or any form of misuse, internally or externally.
- Section 32. Implementation of Security Requirements. Notwithstanding the effective date of these
Rules, the requirements in the preceding sections shall be implemented before any off-site or
online access request is approved. Any data sharing agreement between a source agency and
another government agency shall be subject to review of the Commission on its own initiative or
upon complaint of data subject.
- The right of customers to confidentiality to set a legal list rules for companies to regulate
companies legally responsible for keeping the data from misuse internally or externally
(check recorded class)

4. What does DPA mean for data collectors/companies?

- The Act applies to any process of personal data by anyone in government or private sectors. All
personal data must have legitimate reasons for collection as well as should be clear to both
parties giving and receiving information. With that being said, all collection must be done with
the customer the customers’ proper consent. All personal information used must also be relevant
solely used for its intended and state purposes. Companies must protect customer information
from collection to proper disposal, avoiding access from unauthorized parties.
- The act states that the collection of personal data “must be a declared, specified, and legitimate
purpose” and further provides that consent is required prior to the collection of all personal data.
It requires that when obtaining consent, the data subject be informed about the extent and
purpose of processing, and it specifically mentions the “automated processing of his or her
 personal data for profiling, or processing for direct marketing, and data sharing.” Consent is
further required for sharing information with affiliates or even mother companies.
- Consent must be “freely given, specific, informed,” and the definition further requires that consent
to collection and processing be evidenced by recorded means. However, processing does not
always require consent.
- Consent is not required for processing where the data subject is party to a contractual agreement,
for purposes of fulfilling that contract. The exceptions of compliance with a legal obligation upon
the data controller, protection of the vital interests of the data subject, and response to a national
emergency are also available.
- An exception to consent is allowed where processing is necessary to pursue the legitimate
interests of the data controller, except where overridden by the fundamental rights and freedoms
of the data subject.
- All collection must be done with the customer’s proper consent, all information must be used with
its relevant use

5. What are the steps to take to comply with DPA?

- Companies essentially have to ensure that their data collection methods are flawless as well as
consistently share the entire process with data subjects, including a breach of security, should
there be any.
- To do this, companies should appoint a Data Protection Officer and create privacy knowledge
programs and privacy and data policies to regulate the handling of information, as well as routine
assessments to ensure quality data protection.
- In addition, companies must also have a proper procedure for breach notification to its customers.
- The law requires that any entity involved in data processing and subject to the act must develop,
implement and review procedures for the collection of personal data, obtaining consent, limiting
processing to defined purposes, access management, providing recourse to data subjects, and
appropriate data retention policies. These requirements necessitate the creation of a privacy
program. Requirements for technical security safeguards in the act also mandate that an entity
have a security program.
- Ensure data collection methods are flawless and consistently share Data protection officer –
appointed and create privacy

6. What does DPA entail?

- First, all personal information must be collected for reasons that are specified, legitimate, and
reasonable. In other words, customers must opt in for their data to be used for specific reasons
that are transparent and legal.
- Second, personal information must be handled properly. Information must be kept accurate and
relevant, used only for the stated purposes, and retained only for as long as reasonably needed.
Customers must be active in ensuring that other, unauthorized parties do not have access to
their customers’ information.
- Third, personal information must be discarded in a way that does not make it visible and
accessible to unauthorized third parties.
- Unauthorized processing, negligent handling, or improper disposal of personal information and
related acts as mentioned under the law will be punishable.
7. Who needs to register?
SECTION 5. Mandatory Registration. A PIC or PIP shall register its data processing systems if it is
processing personal data and operating in the country under any of the following conditions:
A. the PIC or PIP employs at least two hundred fifty (250) employees;
B. the processing includes sensitive personal information of at least one thousand (1,000)
individuals;
C. the processing is likely to pose a risk to the rights and freedoms of data subjects.
Processing operations that pose a risk to data subjects include those that involve:
1.) information that would likely affect national security, public safety, public
order, or public health;
2.) information required by applicable laws or rules to be confidential;
3.) vulnerable data subjects like minors, the mentally ill, asylum seekers, the
elderly, patients, those involving criminal offenses, or in any other case where
an imbalance exists in the relationship between a data subject and a PIC or PIP;
4.) automated decision-making; or
5.) profiling;
D. the processing is not occasional: Provided, that processing shall be considered
occasional if it is only incidental to the mandate or function of the PIC or PIP, or, it only
occurs under specific circumstances and is not regularly performed. Processing that
constitutes a core activity of a PIC or PIP, or is integral thereto, will not be considered
occasional:
In determining the existence of the foregoing conditions, relevant factors, such
as the number of employees, or the records of individuals whose sensitive personal
information are being processed, shall only be considered if they are physically located in
the Philippines. Data processing systems that involve automated decision-making shall,
in all instances, be registered with the Commission.
For all other data processing systems operating under the conditions set out in
subsections C and D, the Commission shall determine the specific sectors, industries, or
entities that shall be covered by mandatory registration. Appendix 1 of this Circular shall
feature the initial list.
It shall be regularly reviewed and may be updated by the Commission through
subsequent issuances.

SECTION 6. Voluntary Registration. An application for registration by a PIC or PIP whose data
processing system does not operate under any of the conditions set out in the next preceding
Section shall be accepted as a voluntary registration.

Section 47. Registration of Personal Data Processing Systems. The personal information
controller or personal information processor that employs fewer than two hundred fifty
(250) persons shall not be required to register unless the processing it carries out is likely
to pose a risk to the rights and freedoms of data subjects, the processing is not
occasional, or the processing includes sensitive personal information of at least one
thousand (1,000) individuals.
a. The contents of registration shall include:
 1. The name and address of the personal information controller or personal
information processor, and of its representative, if any, including their contact
details;
2. The purpose or purposes of the processing, and whether processing is being
done under an outsourcing or subcontracting agreement;
3. A description of the category or categories of data subjects, and of the data
or categories of data relating to them;
4. The recipients or categories of recipients to whom the data might be
disclosed;
5. Proposed transfers of personal data outside the Philippines;
6. A general description of privacy and security measures for data protection;
7. Brief description of the data processing system;
8. Copy of all policies relating to data governance, data privacy, and information
security;
9. Attestation to all certifications attained that are related to information and
communications processing; and
10. Name and contact details of the compliance or data protection officer,
which shall immediately be updated in case of changes.
B . The procedure for registration shall be in accordance with these Rules and other
issuances of the Commission.

8. How to remain in compliance of the DPA?

- The National Privacy Commission, which was created to enforce RA 10173, will check whether
companies are compliant based on a company having 5 elements:
1. Appointing a Data Protection Officer
2. Conducting a privacy impact assessment
3. Creating a privacy knowledge management program
4. Implementing a privacy and data protection policy
5. Exercising a breach reporting procedure

9. What is the state policy concerning information and communications systems?

The State recognizes the vital role of information and communications technology in nation-building and
its inherent obligation to ensure that personal information in information and communications systems in
the government and in the private sector are secured and protected.

10. What is the right to privacy?

Philippine Constitution Article 3, Section 2: The right of the people to be secure in their persons,
houses, papers, and effects against unreasonable searches and seizures of whatever nature and
for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except
upon probable cause to be determined personally by the judge after examination under oath or
affirmation of the complainant and the witnesses he may produce, and particularly describing the
place to be searched and the persons or things to be seized.
 Section 3.
(1) The privacy of communication and correspondence shall be inviolable except upon lawful order
of the court, or when public safety or order requires otherwise, as prescribed by law.
(2) Any evidence obtained in violation of this or the preceding section shall be inadmissible for any
purpose in any proceeding.

- In Philippine law, the concept of privacy is enshrined in the Constitution and is regarded
as the right to be free from unwarranted exploitation of one's person or from intrusion
into one's private activities in such a way as to cause humiliation to a person's ordinary
sensibilities.

11. Define the following terms:

● Commission
- refers to the National Privacy Commission Attached to DICT Department of Information and Communication Technology
Headed by Privacy Commissioner
> 2 deputy commissioners and 1 secretariat
● Consent of the data subject
- refers to any freely given, specific, informed indication of will, whereby the data
subject agrees to the collection and processing of his or her personal, sensitive personal,
or privileged information.
- Consent shall be evidenced by written, electronic or recorded means.
- It may also be given on behalf of a data subject by a lawful representative or an
agent specifically authorized by the data subject to do so;

● Data subject
- refers to an individual whose personal, sensitive personal, or privileged information is
processed;

● Direct marketing
- refers to communication by whatever means of any advertising or marketing
material which is directed to particular individuals;

● Filing system
- refers to any set of information relating to natural or juridical persons to the
extent that, although the information is not processed by equipment operating
automatically in response to instructions given for that purpose, the set is
structured, either by reference to individuals or by reference to criteria relating to
individuals, in such a way that specific information relating to a particular individual is
readily accessible

● Information and Communications System

- refers to a system for generating, sending, receiving, storing, or otherwise processing
electronic data messages or electronic documents, and includes the computer system or
other similar device by which data is recorded, transmitted, or stored, and any
procedure related to the recording, transmission, or storage of electronic data, electronic
message, or electronic document;
● Personal information Image of a person a personal information? Yes bc identity can be determined from it
- refers to any information, whether recorded in a material form or not, from which the
identity of an individual is apparent or can be reasonably and directly ascertained
by the entity holding the information, or when put together with other information
would directly and certainly identify an individual;

● Personal information controller

- refers to a natural or juridical person, or any other body who controls the
processing of personal data, or instructs another to process personal data on its
behalf.
The term excludes:
1. A natural or juridical person, or any other body, who performs
such functions as instructed by another person or organization; or
2. A natural person who processes personal data in connection with
his or her personal, family, or household affairs;
There is control if the natural or juridical person or any other body decides on
what information is collected, or the purpose or extent of its processing;
Agreement between PIC and PIP: outsourcing agreement

● Personal information processor

- refers to any natural or juridical person or any other body to whom a personal
information controller may outsource or instruct the processing of personal data
pertaining to a data subject;

● Processing
- refers to any operation or any set of operations performed upon personal data
including, but not limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use, consolidation, blocking, erasure
or destruction of data.
- Processing may be performed through automated means, or manual processing, if the
personal data are contained or are intended to be contained in a filing system;

● Privileged information
- refers to any and all forms of data, which, under the Rules of Court and other
pertinent laws constitute privileged communication;

● Sensitive personal information

- refers to personal information:
1. About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or
to any proceeding for any offense committed or alleged to have been
committed by such individual, the disposal of such proceedings, or the
sentence of any court in such proceedings;
 3. Issued by government agencies peculiar to an individual which includes, but is
not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept
classified

12. Which government agency is in-charge of the administration and implementation of the DPA?
- WHEREAS, pursuant to Section 7 of the DPA, the National Privacy Commission (NPC) is charged
with the administration and implementation of the provisions of the law, which includes ensuring
compliance with the provisions of the DPA and with international standards for data protection,
and carrying out efforts to formulate and implement plans and policies that strengthen the
protection of personal information in the country, in coordination with other government
agencies and the private sector;

13 What is the scope and application of DPA?

- This Act applies to the processing of all types of personal information and to any natural and
juridical person involved in personal information processing including those personal information
controllers and processors who, although not found or established in the Philippines, use
equipment that are located in the Philippines, or those who maintain an office, branch or agency
in the Philippines subject to the immediately succeeding paragraph: Provided, That the
requirements of Section 5 are complied with.
- The Act and these Rules apply to the processing of personal data by any natural and juridical
person in the government or private sector.

They apply to an act done or practice engaged in and outside of the Philippines if:
a. The natural or juridical person involved in the processing of personal data is found or
established in the Philippines;
b. The act, practice or processing relates to personal data about a Philippine citizen or
Philippine resident;
c. The processing of personal data is being done in the Philippines; or
d. The act, practice or processing of personal data is done or engaged in by an entity
with links to the Philippines, with due consideration to international law and comity, such
as, but not limited to, the following:
1. Use of equipment located in the country, or maintains an office, branch or
agency in the Philippines for processing of personal data;
2. A contract is entered in the Philippines;
3. A juridical entity unincorporated in the Philippines but has central
management and control in the country;
4. An entity that has a branch, agency, office or subsidiary in the Philippines and
the parent or affiliate of the Philippine entity has access to personal data;
5. An entity that carries on business in the Philippines;
6. An entity that collects or holds personal data in the Philippines.
14. What is excluded from the provisions of the DPA?
The Data Privacy Act explicitly states that its provisions are not applicable in the following cases:

(a) Information about any individual who is or was an officer or employee of a government institution that
relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of
employment with the government;

(b) Information about an individual who is or was performing service under contract for a government
institution that relates to the services performed, including the terms of the contract, and the name of the
individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license
or permit given by the government to an individual, including the name of the individual and the exact
nature of the benefit; Business permit

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the
processing of personal data for the performance by the independent, central monetary authority and law
enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing
in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as
the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit
Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the
independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No.
9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and
other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the
laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in
the Philippines.
 15. Processing of personal information

a. Principle of Proportionality: The Processing of ■ The general data privacy principles in relation to personal information
Personal data shall be adequate, relevant, suitable,
necessary, gathering
and not excessive in relation to a declared and specified
purpose. Personal Data shall be processed by the - Section 17. General Data Privacy Principles. The processing of
Company only if the purpose of the Processing could not
reasonably be fulfilled by other means. personal data shall be allowed, subject to compliance with the
b. Principle of Legitimate Purpose: The Processing of
requirements of the Act and other laws allowing disclosure of
Personal Data by the Company shall be compatible with information to the public, and adherence to the principles of
a declared and specified purpose which must not be
contrary to law, morals, or public policy. transparency, legitimate purpose, and proportionality
c. Principle of Transparency: The Data Subject must be - General rule – prohibited except for specific and legitimate purposes
aware of the nature, purpose, and extent of the
Processing of his or her Personal Data by the Company,
including the risks and safeguards involved, the identity
of persons and entities involved in processing his or her
■ Mandatory personal information breach notification
Personal Data, his or her rights as a Data Subject, and - Section 38. Data Breach Notification.
how these can be exercised. Any information and
communication relating to the Processing of Personal a. The Commission and affected data subjects shall be
Data should be easy to access and understand, using
clear and plain language. notified by the personal information controller within
seventy-two (72) hours upon knowledge of, or when there is
reasonable belief by the personal information controller or
personal information processor that, a personal data
breach requiring notification has occurred.
b. Notification of personal data breach shall be required
when sensitive personal information or any other
information that may, under the circumstances, be used
to enable identity fraud are reasonably believed to have
been acquired by an unauthorized person, and the personal
information controller or the Commission believes that
such unauthorized acquisition is likely to give rise to a real
risk of serious harm to any affected data subject.
c. Depending on the nature of the incident, or if there is delay or
failure to notify, the Commission may investigate the
circumstances surrounding the personal data breach.
Investigations may include on-site examination of systems
and procedures.

■ Define Security incident

- “Security incident” is an event or occurrence that affects or tends
to affect data protection, or may compromise the availability,
integrity and confidentiality of personal data. It includes incidents
that would result to a personal data breach, if not for safeguards that
have been put in place;
■ Define Personal data breach
- “Personal data breach” refers to a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data transmitted, stored, or
otherwise processed;
■ Requirement to notify
- The law further provides that not all “personal data breaches” require
notification., which provides several bases for not notifying data
subjects or the data protection authority. Section 38 of the IRRs
provides the requirements of breach notification:

1. The breached information must be sensitive personal

information, or information that could be used for identity
fraud, and
2. There is a reasonable belief that unauthorized acquisition has
occurred, and
3. The risk to the data subject is real, and
4. The potential harm is serious.

The law provides that the Commission may determine that notification
to data subjects is unwarranted after taking into account the entity’s
compliance with the Privacy Act, and whether the acquisition was in good faith.

■ Notification timeline and recipient

The law places a concurrent obligation to notify the National
Privacy Commission as well as affected data subjects within 72 hours
of knowledge of, or reasonable belief by the data controller of, a
personal data breach that requires notification.

It is unclear at present whether the commission would allow a

delay in notification of data subjects to allow the commission to
determine whether a notification is unwarranted. By the law, this
would appear to be a gamble.

Section 38 of IRR. Data Breach Notification.

a. The Commission and affected data subjects shall be notified
by the personal information controller within seventy-two (72)
hours upon knowledge of, or when there is reasonable belief
by the personal information controller or personal information
processor that, a personal data breach requiring notification
has occurred.
b. Notification of personal data breach shall be required when
sensitive personal information or any other information that
may, under the circumstances, be used to enable identity
fraud are reasonably believed to have been acquired by an
unauthorized person, and the personal information controller
or the Commission believes that such unauthorized acquisition
is likely to give rise to a real risk of serious harm to any
affected data subject.
 ■ Notification contents
- Section 39. Contents of Notification. The notification shall at
least:
a. describe the nature of the breach,
b. the personal data possibly involved, and
c. the measures taken by the entity to address the breach
d. measures taken to reduce the harm or negative
consequences of the breach,
e. the representatives of the personal information controller,
including their contact details,
f. from whom the data subject can obtain additional
information about the breach, and
g. any assistance to be provided to the affected data
subjects.
- Section 40. Delay of Notification. Notification may be delayed only to
Criteria for Lawful Processing of Personal Information: The the extent necessary to determine the scope of the breach, to
processing of personal information shall be permitted only if not
otherwise prohibited by law, and when at least one of the following prevent further disclosures, or to restore reasonable integrity to the
conditions exists: information and communications system.
1) The data subject has given his or her consent;
2) The processing of personal information is necessary and is a. In evaluating if notification is unwarranted, the Commission
related to the fulfillment of a contract with the data subject or in
order to take steps at the request of the data subject prior to may take into account compliance by the personal
entering into a contract;
3) The processing is necessary for compliance with a legal information controller with this section and existence of good
obligation to which the personal information controller is subject;
4) The processing is necessary to protect vitally important interests
faith in the acquisition of personal data.
of the data subject, including life and health; b. The Commission may exempt a personal information
5) The processing is necessary in order to respond to national
emergency, to comply with the requirements of public order and controller from notification where, in its reasonable judgment,
safety, or to fulfill functions of public authority which necessarily
includes the processing of personal data for the fulfillment of its such notification would not be in the public interest, or in the
mandate; or
6) The processing is necessary for the purposes of the legitimate interest of the affected data subjects.
interests pursued by the personal information controller or by a third
party or parties to whom the data is disclosed, except where such
c. The Commission may authorize postponement of notification
interests are overridden by fundamental rights and freedoms of the where it may hinder the progress of a criminal investigation
data subject which require protection under the Philippine
Constitution. related to a serious breach.

16. Criteria for Lawful Processing of Personal Information.

- Section 21. Criteria for Lawful Processing of Personal Information. Processing of personal
information is allowed, unless prohibited by law. General rule: permitted unless exempted by law

For processing to be lawful, any of the following conditions must be complied with:
a. The data subject must have given his or her consent prior to the collection, or as soon as
practicable and reasonable;
b. The processing involves the personal information of a data subject who is a party to
a contractual agreement, in order to fulfill obligations under the contract or to take
steps at the request of the data subject prior to entering the said agreement;
c. The processing is necessary for compliance with a legal obligation to which the
personal information controller is subject;
d. The processing is necessary to protect vitally important interests of the data
subject, including his or her life and health
 e. The processing of personal information is necessary to respond to national
emergencies or to comply with the requirements of public order and safety, as
prescribed by law;
f. The processing of personal information is necessary for the fulfillment of the
constitutional or statutory mandate of a public authority; or
g. The processing is necessary to pursue the legitimate interests of the personal
information controller, or by a third party or parties to whom the data is disclosed,
except where such interests are overridden by fundamental rights and freedoms of the
data subject, which require protection under the Philippine Constitution.

17. The rule regarding processing of sensitive personal information and privileged information.
- Section 22. Sensitive Personal Information and Privileged Information. The processing of
sensitive personal and privileged information is prohibited, except in any of the following cases:
a. Consent of the data subject;
- Consent is given by data subject, or by the parties to the exchange of
privileged information, prior to the processing of the sensitive personal
information or privileged information, which shall be undertaken pursuant to
a declared, specified, and legitimate purpose;
b. Pursuant to law that does not require consent;
- The processing of the sensitive personal information or privileged
information is provided for by existing laws and regulations: Provided, that
said laws and regulations do not require the consent of the data subject for
the processing, and guarantee the protection of personal data;
c. Necessity to protect life and health of a person;
- The processing is necessary to protect the life and health of the data subject or
another person, and the data subject is not legally or physically able to
express his or her consent prior to the processing;
d. Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.
- The processing is necessary to achieve the lawful and noncommercial
objectives of public organizations and their associations provided that:
1. Processing is confined and related to the bona fide members of these
organizations or their associations;
2. The sensitive personal information are not transferred to third parties; and
3. Consent of the data subject was obtained prior to processing;
e. Necessity for medical treatment;
- The processing is necessary for the purpose of medical treatment:
Provided, that it is carried out by a medical practitioner or a medical
treatment institution, and an adequate level of protection of personal data is
ensured; or
f. The processing concerns sensitive personal information or privileged information
necessary for the protection of lawful rights and interests of natural or legal
persons in court proceedings, or the establishment, exercise, or defense of legal claims,
or when provided to government or public authority pursuant to a constitutional or
statutory mandate.
18. Is subcontracting of personal information allowed?
- YES.
- Section 43. Subcontract of Personal Data. A personal information controller may
subcontract or outsource the processing of personal data: \
Provided, that the personal information controller shall use contractual or other
reasonable means to ensure that proper safeguards are in place, to ensure the
confidentiality, integrity and availability of the personal data processed, prevent its use for
unauthorized purposes, and generally, comply with the requirements of the Act, these Rules,
other applicable laws for processing of personal data, and other issuances of the Commission.

19. Extension of Privileged communication over privileged information

- Section 23. Extension of Privileged Communication. Personal information controllers may
invoke the principle of privileged communication over privileged information that they
lawfully control or process. Subject to existing laws and regulations, any evidence gathered
from privileged information is inadmissible.
- When the Commission inquires upon communication claimed to be privileged, the personal
information controller concerned shall prove the nature of the communication in an executive
session. Should the communication be determined as privileged, it shall be excluded from
evidence, and the contents thereof shall not form part of the records of the case:
Provided, that where the privileged communication itself is the subject of a breach, or a privacy
concern or investigation, it may be disclosed to the Commission but only to the extent necessary
for the purpose of investigation, without including the contents thereof in the records.

20 Rights of Data subject

Section 34. Rights of the Data Subject. The data subject is entitled to the following rights:
a. Right to be informed.
1. The data subject has a right to be informed whether personal data
pertaining to him or her shall be, are being, or have been processed, including
the existence of automated decision-making and profiling.
2. The data subject shall be notified and furnished with information indicated
hereunder before the entry of his or her personal data into the processing
system of the personal information controller, or at the next practical
opportunity:
a. Description of the personal data to be entered into the system;
b. Purposes for which they are being or will be processed, including
processing for direct marketing, profiling or historical, statistical or
scientific purpose;
c. Basis of processing, when processing is not based on the consent of the
data subject;
d. Scope and method of the personal data processing;
e. The recipients or classes of recipients to whom the personal data
are or may be disclosed;
f. Methods utilized for automated access, if the same is allowed by the
data subject, and the extent to which such access is authorized,
including meaningful information about the logic involved, as well
 as the significance and the envisaged consequences of such processing
for the data subject;
g. The identity and contact details of the personal data controller or its
representative;
h. The period for which the information will be stored; and
i. The existence of their rights as data subjects, including the right to
access, correction, and object to the processing, as well as the right
to lodge a complaint before the Commission.
b. Right to object. The data subject shall have the right to object to the processing of
his or her personal data, including processing for direct marketing, automated
processing or profiling.
The data subject shall also be notified and given an opportunity to withhold
consent to the processing in case of changes or any amendment to the information
supplied or declared to the data subject in the preceding paragraph.

When a data subject objects or withholds consent, the personal information

controller shall no longer process the personal data, unless:
1. The personal data is needed pursuant to a subpoena;
2. The collection and processing are for obvious purposes, including,
when it is necessary for the performance of or in relation to a
contract or service to which the data subject is a party, or when
necessary or desirable in the context of an employer-employee
relationship between the collector and the data subject; or
3. The information is being collected and processed as a result of a
legal obligation.
c. Right to Access.
The data subject has the right to reasonable access to, upon demand, the
following:
1. Contents of his or her personal data that were processed;
2. Sources from which personal data were obtained;
3. Names and addresses of recipients of the personal data;
4. Manner by which such data were processed;
5. Reasons for the disclosure of the personal data to recipients, if
any;
6. Information on automated processes where the data will, or is likely to,
be made as the sole basis for any decision that significantly affects or
will affect the data subject;
7. Date when his or her personal data concerning the data subject
were last accessed and modified; and
8. The designation, name or identity, and address of the personal
information controller.
d. Right to rectification or Right to Dispute.
The data subject has the right to dispute the inaccuracy or error in the
personal data and have the personal information controller correct it immediately
and accordingly, unless the request is vexatious or otherwise unreasonable.
 If the personal data has been corrected, the personal information
controller shall ensure the accessibility of both the new and the retracted
information and the simultaneous receipt of the new and the retracted information by
the intended recipients thereof:
Provided, That recipients or third parties who have previously received such
processed personal data shall be informed of its inaccuracy and its rectification,
upon reasonable request of the data subject.

e. Right to erasure - Suspend, withdraw or order the blocking, removal or destruction

of his or her personal information.
The data subject shall have the right to suspend, withdraw or order the
blocking, removal or destruction of his or her personal data from the personal
information controller’s filing system.
1. This right may be exercised upon discovery and substantial proof of
any of the following:
a. The personal data is incomplete, outdated, false, or
unlawfully obtained;
b. The personal data is being used for purpose not
authorized by the data subject;
c. The personal data is no longer necessary for the purposes
for which they were collected;
d. The data subject withdraws consent or objects to the
processing, and there is no other legal ground or
overriding legitimate interest for the processing;
e. The personal data concerns private information that is
prejudicial to the data subject, unless justified by freedom
of speech, of expression, or of the press or otherwise
authorized;
f. The processing is unlawful;
g. The personal information controller or personal
information processor violated the rights of the data subject.
2. The personal information controller may notify third parties who
have previously received such processed personal information.
f. Right to damages or Right to be indemnified.
The data subject shall be indemnified for any damages sustained due to
such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized
use of personal data, taking into account any violation of his or her rights and freedoms
as data subject.

g. Right to Be furnished the information indicated hereunder before the entry of his or
her personal information into the processing system of the personal information
controller, or at the next practical opportunity:
(1) Description of the personal information to be entered into the system;
(2) Purposes for which they are being or are to be processed;
(3) Scope and method of the personal information processing;
 (4) The recipients or classes of recipients to whom they are or may be disclosed;
(5) Methods utilized for automated access, if the same is allowed by the data
subject, and the extent to which such access is authorized;
(6) The identity and contact details of the personal information controller or its
Representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction, as well as the right to
lodge a complaint before the Commission.

Any information supplied or declaration made to the data subject on these

matters shall not be amended without prior notification of data subject:
Provided, That the notification under subsection (b) shall not apply should the
personal information be needed pursuant to a subpoena or when the collection and
processing are for obvious purposes, including when it is necessary for the performance
of or in relation to a contract or service or when necessary or desirable in the context of
an employer-employee relationship, between the collector and the data subject, or when
the information is being collected and processed as a result of legal obligation;

21. Transmissibility of Rights of the Data subject

- Section 35. Transmissibility of Rights of the Data Subject.
The lawful heirs and assigns of the data subject may invoke the rights of the data subject
to which he or she is an heir or an assignee, at any time after the death of the data subject, or
when the data subject is incapacitated or incapable of exercising the rights as enumerated in
the immediately preceding section.

22 Right to data portability

- Section 36. Right to Data Portability.
Where his or her personal data is processed by electronic means and in a structured and
commonly used format, the data subject shall have the right to obtain from the personal
information controller a copy of such data in an electronic or structured format that is commonly
used and allows for further use by the data subject.
The exercise of this right shall primarily take into account the right of the data subject
to have control over his or her personal data being processed based on consent or
contract, for commercial purpose, or through automated means.
The Commission may specify the electronic format referred to above, as well as the
technical standards, modalities, procedures and other rules for their transfer.

- Section 37. Limitation on Rights.

The immediately preceding sections shall not be applicable if the processed
personal data are used only for the needs of scientific and statistical research and, on the basis
of such, no activities are carried out and no decisions are taken regarding the data subject:
Provided that the personal data shall be held under strict confidentiality and shall be
used only for the declared purpose.
The said sections are also not applicable to the processing of personal data
gathered for the purpose of investigations in relation to any criminal, administrative or tax
liabilities of a data subject.
 Any limitations on the rights of the data subject shall only be to the minimum extent
necessary to achieve the purpose of said research or investigation.

23. Security of Sensitive personal information in government

Rule VII. Security of Sensitive Personal Information in Government

Sec. 30 Responsibility of Heads of Agencies. All sensitive personal information maintained by

the government, its agencies, and
instrumentalities shall be secured, as far as
practicable, with the use of the most appropriate
standard recognized by the information and
communications technology industry, subject to
these Rules and other issuances of the
Commission. The head of each government
agency or instrumentality shall be responsible for
complying with the security requirements
mentioned herein. The Commission shall monitor
government agency compliance and may
recommend the necessary action in order to
satisfy the minimum standards

Sec. 31 Requirements Relating to Access by a. On-site and Online Access.

Agency Personnel to Sensitive 1. No employee of the government shall
Personal Information. have access to sensitive personal
information on government property or
through online facilities unless he or she
the employee has received a security
clearance from the head of the source
agency. The source agency is the
government agency who originally
collected the personal data.
2. A source agency shall strictly regulate
access to sensitive personal information
under its custody or control, particularly
when it allows online access. An employee
of the government shall only be granted a
security clearance when the performance
of his or her official functions or the
provision of a public service directly
depends on and cannot otherwise be
performed unless access to the personal
data is allowed.
3. Where allowed under the next preceding
sections, online access to sensitive
personal information shall be subject to
the following conditions:
a. An information technology
governance framework has been
designed and implemented;
b. Sufficient organizational,
physical and technical security
 measures have been established;
c. The agency is capable of
protecting sensitive personal
information in accordance with
data privacy practices and
standards recognized by the
information and communication
technology industry;
d. The employee of the
government is only given
online access to sensitive
personal information necessary
for the performance of official
functions or the provision of a
public service.
b. Off-site access.
1. Sensitive personal information maintained
by an agency may not be transported or
accessed from a location off or outside of
government property, whether by its
agent or employee, unless the head of
agency has ensured the implementation
of privacy policies and appropriate
security measures. A request for such
transportation or access shall be
submitted to and approved by the head of
agency. The request must include
proper accountability mechanisms in the
processing of data.
2. The head of agency shall approve
requests for off-site access in accordance
with the following guidelines:
a. Deadline for Approval or
Disapproval. The head of
agency shall approve or
disapprove the request within
two (2) business days after the
date of submission of the
request. Where no action is
taken by the head of the
agency, the request is
considered disapproved;
b. Limitation to One thousand
(1,000) Records. Where a request
is approved, the head of
agency shall limit the access to
not more than one thousand
(1,000) records at a time,
subject to the next succeeding
paragraph.
c. Encryption. Any technology used
to store, transport or access
 sensitive personal information
for purposes of off-site access
approved under this subsection
shall be secured by the use of the
most secure encryption standard
recognized by the Commission

Sec. 32 Implementation of Security Notwithstanding the effective date of these

Requirements. Rules, the requirements in the preceding sections
shall be implemented before any off-site or online
access request is approved. Any data sharing
agreement between a source agency and
another government agency shall be subject to
review of the Commission on its own initiative
or upon complaint of data subject.

Sec. 33 Applicability to Government In entering into any contract with a private

Contractors service provider that may involve accessing or
requiring sensitive personal information from
one thousand (1,000) or more individuals, a
government agency shall require such service
provider and its employees to register their
personal data processing system with the
Commission in accordance with the Act and
these Rules. The service provider, as personal
information processor, shall comply with the other
provisions of the Act and these Rules, particularly
the immediately preceding sections, similar to a
government agency and its employees.

ADDITIONAL:

SECTION 9. Registration Process. A PIC or PIP shall register through the Commission’s official website in two (2)
phases:

A. Phase I. A PIC or PIP, through its DPO, shall accomplish the prescribed application form, and submit the same to
the Commission together with all supporting documents. Upon review and validation of the submission, the
Commission shall provide the PIC or PIP via email an access code, which shall allow it to proceed to Phase II of the
registration process.

B. Phase II. Using the access code provided by the Commission, a PIC or PIP shall proceed to the online registration
platform and provide all relevant information regarding its data processing systems. The Commission shall notify
the PIC or PIP via email to confirm the latter’s successful completion of the registration process: Provided that
registration may be done in person at the office of the Commission in the event that online access is not available.