Declaration of Policy

It is the policy of the State to protect the

fundamental human right of privacyof
communication while ensuring free flow of of
information to promote innovation and growth. The
State recognizes the vital role of information and
communications technology in nation-building and
its inherent obligation to ensure that personal
information in information and communications
systems in the government and in the private sector
are secured and protected.

Definition of Terms (Sec. 3)

Data subject- refers to an individual whose
personal information is processed.
Consent of the data subject*- refers to any freely
given, specific, informed indication of will, whereby
the data subject agrees to the collection and
processing of personal information about and/or
relating to him or her. Consent shall be evidenced by
written, electronic or recorded means. It may also
be given on behalf of the data subject by an agent
specifically authorized by the data subject to do so.
Filing system refers to any act of information relating to
natural or juridical persons to the extent that, although the
information is not processed by equipment operating
automatically in responsse to instructions given for that
purpose, the set is structured, either by reference to individuals
or by reference to criteria relating to individuals, in such a way
that specific information relating to a particular person is
readily accessible.
Information and Communications System refers to a system
for generating, sending, receiving, storing or otherwise
processing electronic data messages or electronic documents
and includes the computer system or other similar device by or
which data is recorded, transmitted or stored and any
procedure related to
the recording, transmission or storage of
electronic data, electronic message, or electronic document.
 Definition of Terms (Sec. 3)
PERSONAL information refers to any information
whether recorded in a material form or not, from which
the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity
holding the information, or when put together with
other information would directly and certainly identify
an individual.
PRIVILEGED information refers to any and all forms of
data which under the Rules of Court and other
pertinent laws constitute privileged communication.

SENSITIVVE personal information refers to personal

information:
(1) About an individual's race, ethnic origin, marital status, age,
color, and religious, philosophical or political affiliations;
(2) About an individual's health, education, genetic or sexual life
of a person, or t0 any proceeding for any offense committed or
alleged to have been committed by such person, the disposal of
such proceedings, or the sentence of any court in such
proceedings;
(3) Issued by government agencies peculiar to an individual
which includes, but not limited to, social security numbers,
previous or cm-rent health records, licenses or its denials,
suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of
Congress to be kept classified.
"COMMITIED TO YOUR CPA REVIEW NEE)
ARV ATTY. AMADO VILLEGAS JR.

Personal information controller (PIC) refers to a person or

organization who controls the collection, holding, processing or
use of personal information, including a person or organization
who instructs another person or organization to collect, hold,
process, use, transfer or disclose personal information on his or
her behalf.
The term excludes:
(1) A person or organization who performs such functions as
instructed by another person or organization; and
(2) An individual who collects, holds, processes or uses personal
information in connection with the individual's personal, family
or household affairs.
 Definition of Terms (Sec. 3)
Data processing systems refers to the structure and procedure by
which personal data is collected and further processed in an
information and communications system or relevant filing system,
including the purpose and intended output of the processing.

Personal information processor (PIP) refers to any natural or

juridical person qualified to act as such under this Act to whom a
personal information controller may outsource the _processing of
personal data pertaining to a data subject.
Processing refers to any operation or any set of operations
performed upon personal information including, but not Ilimited to,
the collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking,
erasure or destruction of data. It may be performed through
automated means, or manual processing, if the personal data are
contained or are intended to be contained in a filing systemn

Distinctions
Personal Information Controller
(PIC)
Has control of the why and how of
the data processing activity
Personal Information
Processor (PIP) outsourced
Handles the personal
information of the PIC

Has significant decision making Technical aspect (storage,

modification, consultation
professional judgment
and erasure)

Has control over the content It merely carries out the

instructions of PIC
Has the obligation to notify in case It cannot share, amend or
of breach further process outside the
bounds of contract
Ensures safeguards/confidentiality
Definition of Terms (IRR)
Data sharing - is the disclosure or transfer to a third party of personal
data under the custody of a personal information controller or
personal information processor. In the case of the latter, such
disclosure or transfer must have been upon the instructions of the
personal information controller concerned. The term excludes
personal
outsourcing, or the disclosure or transfer of personal data by a
personal information controller to a personal information processor.
Profiling - refers to any form of automated processing of personal
data consisting of the use of personal data to evaluate certain
personal aspects relating to a natural person, in particular to analyze
or predict aspects concerning that natural person's performance at
work, economic situation, health, personal preferences, interests,
reliability, behavior, location or movements.
 Distinctions
Outsourcing (PIP) Data Sharing
PIC to PIP PIC to TP
PIC to PIP to TP

Each party to data sharing has its own reasons

for processing personal data involved.

All parties to data sharing agreement are

considered PIC.
BATANGAS CPA REVEW CENTER

Definition of Terms (IRR)

Personal data breach refers to a breach of security leading
tothe accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
transmitted, stored, or otherwise processed.

Security incident - is an event or occurrence that affects or

tends to affect data_protection, or may compromise the

availability, integrity and confidentiality of personal data. It
includes incidents that would result to a personal data
breach, if not for safeguards that have been put in place.

COMMITTED TO YOUR CPA REVIEW NEED

ARV ATTY. AMADO VILLEGAS JR.

Distinctions
Personal Data Breach Security Incident
ACTUAL breach of security MAY compromise the
leading to the accidental availability, integrity and
or unlawful confidentiality of personal
data
Reported to NPC Not required
 National Privacy Commission
The National Privacy Commission isan
independent body mandated to administer and
implement the Act, and to monitor and ensure
compliance of the country with international
standards set for personal data protection.
Functions* of the NPC (17)/ (Sec. 7)
Rule Making
Advisory
Public Education
Compliance and Monitoring
Complaints and Investigation
Enforcement
Other Functions
I t is attached to the Department of Information and
Communications Technology (DICT) and shall be
headed by a Privacy Commissioner, who shall also
act as Chairman of the Commission. The Privacy
Commissioner shall be assisted by two (2) Deputy
Privacy Commissioners, one to be responsible for
Data Processing Systems and one to be responsiblee
for Policies and Planning. The Privacy
Commissioner and the two (2) Deputy Privacy
Commissioners shall be appointed by the President
of the Philippines for a term of three (3) years, and
may be reappointed for another term of three (3)
years.
The Secretariat shall be headed by an Executive Director and
shall be organized according to the following offices: (a) Data
Security and Compliance Office; (b) Legal and Enforcement
office; (C) Finance and Administrative Office; (d) Privacy Policy
Office; and (e) Public Information and Assistance Office (IRR)

Majority of the members of the Secretariat must have served for

at least five (5) years in any agency of the government that is
involved in the processing of personal information including, but
not limited to, the following offices: Social security System (SSS),
Government Service Insurance System (GSIS), Land
Transportation Office (LTO), Bureau of Internal Revenue (BIR),
Philippine HealthInsurance Corporation (PhilHealth),
Commission on Elections (COMELEC), Department of Foreign
Affairs (DFA), Department of Justice (DOJ), and Philippine Postal
Corporation (Philpost). (Section 10)
 What is RA 10173?
It protects individuals from unauthorized
processing of personal information that is (1)
private,not publicly available; and (2)
identifiable, where the identity of the individual
is apparent either through direct attribution or
whenput together with other available
information.
Scope (Sec. 4)
This Act applies to the processing of ALL types of personal
information and to any natural and juridical_person
involved in personal information processing including8
those personal information controllers and processors
who, although not found or established in the Philippines,
use equipment that are located in the Philippines, or
those who maintain an office, branch or agency in the
Philippines.
The Act and these Rules apply to the processing of
personal data by any natural and juridical person in the
gOvernment or private sector. Ihey apply to an act done
or practice engaged in and outside of the Philippines.
(IRR)
General Rule

The Data Privacy Act of 2012 appliesto

all entities processing data.
- Government Institutions

Large Corporations and conglomerates

-Small to Medium Enterprisees

Exceptions are strictly construed

 Scope (IRR)
They apply to an act done or practice engaged in and
Ooutside of the Philippines, IF:
a. The natural or juridical person involved in the
processing of personal data is found or established in the
Philippines;
b. The act, practice or processing relates to personal data
about a Philippine citizen orPhilippine resident;
C. The processing of personal data is being done in the
Philippines; or
d. The act, practice or processing of personal data is done
or engaged in by an entity with links to the Philippines,
with due consideration to international law and comity,
such as, but not limited to, the following:

XXX but not limited to, the following:

1.Use of equipment located in the country, or maintains
an office, branch or agency in the Philippines for
processing of personal data;
2. A contract is entered in the Philippines;
3. A juridical entity unincorporated in the Philippines but
has central management and control in the country
4. An entity that has a branch, agency, office or subsidiary
in the Philippines and the parent or affiliate of the
Philippine entity has access to personal data;
5. An entity that carries on business in the Philippines;
6. An entity that collects or holds personal data in the
Philippines

Scope (Sec. 4)
Data Privacy Act of 2012 protects all forms of
information that are -

a. PERSONAL;
b. SENSITIVE; or
C. PRIVILEGED.
Exclusions from the Coverage
Data Privacy Act
Exclusions from the coverage (Sec. 4)
a. Information about any individual who is or was
an officer or_employee of a government
institution that relates to the position_or
functions of the individual;
b. Information about an individual who is or was
performing serviceunder contract for a
gOvernment institution that relates to the
services performed, including the terms of the
contract, and the name of the individual given in
the course of the performance of those services;
C. Information relating to any discretionary
benefit of a financial nature such as the
granting of a license or permit given by the
government to an individual, including the name
of the individual and the exact nature of the
benefit;
d. Personal information processed for
journalistic, artistic, literary or research
purposes
e. Information necessary in order to carry out the
functions of public authority which includes the
processing of personal data for the performance by the
independent, central monetary authority and law
enforcement and regulatory agencies of their
constitutionally and statutorily mandated functions.
Nothing in this Act shall be construed as to have
amended or repealed Republic Act No. 1405, otherwisee
known as the Secrecy of Bank Deposits Act; Republic Act
No. 6426, otherwise known as the Foreign Currency
Deposit Act; and Republic Act No. 9510, otherwise known
as the Credit Information System Act (CISA);
 f. Information necessary for banks and_other
financial institutions under the jurisdiction of the
independent, central monetary authority or Bangko
Sentral ng Pilipinas to comply with Republic Act No.
9510, and Republic Act No. 9160, as amended,
otherwise known as the Anti-Money Laundering Act
and other applicable laws; and
g. Personal information originally collected from
residents of foreign_jurisdictions in accordance
with the laws of those foreign jurisdictions,
including any applicable data privacy laws, which is
being processed in the Philippines.

Extraterritorial Application (Sec. 6)

This Act applies to an act done or practice engaged in and outside of
the Philippines by an entity if:
a. The act, practice or processing relates to
personal information about a Philippine citizen
or a resident;
b. The entity has a link with the Philippines, and
the entity is processing personal information in
the Philippines or even if the processing is
outside the Philippines as long as it is about
Philippine citizens or residents; and
C. The entity has other links in the Philippines

Extraterritorial Application (Sec. 6)

This Act applies to an act done or practice engaged in and outside of the
Philippines by an entity if:
b. The entity has a link with the Philippines, and the entity is
processing personal information in the Philippines or even if the
processing is outside the Philippines as long as it is about Philippinee
citizens or residents
(1) A contract is entered in the Philippines;
(2) Ajuridical entity unincorporated in the Philippines but
has central management and controlin the country; and
(3) An entity that has a branch, agency, office or
subsidiary in the Philippines and the parent or affiliate of
the Philippine entity hasaccess to personal information;
 Extraterritorial Application (Sec. 6)
This Act applies to an act done or practice engaged in
and outside of the Philippines by an entity if:
(c) The entity has other links in the Philippines such as,
but not limited to:
(1) The entity carries on business in the Philippines; and
(2) The personal information was collected or held by
an entity in the Philippines.

Confidentiality (Sec. 8)
The Commission shall ensure at all times the
confidentiality of any personal information that
comes to its knowledge and possession.

Extension of Privileged Communication.

Personal information controllers may invoke the
principle of privileged communication Over
privileged information that they lawfully contro
orr process. Subject to existing laws and
o

regulations, any evidence gathered on privileged

information is inadmissible. (Section 15)
Subcontract of Personal Information (Section14)
Protection afforded to Data Subjects (Sec. 6 IRR)
The personal information controller or personal
information processor shall uphold the rights of data
subjects, and adhere to general data privacy principles
and the requirements of lawful processing.

The burden of proving that the Act and these Rules are
not applicable to a particular information falls on those
involved in the processing of personal data or the party
claiming the non-applicability.

In all cases, the determination of any exemption shall be

liberallyinterpreted in favor of the rights and interests
of the data subject.
Protection Afforded to Journalists and Their Sources

Nothing in this Act shall be construed as to have

amended or repealed the provisions of Republic
Act No. 53, which affords the publishers, editors
or duly accredited reporters of any newspaper,
magazine or periodical of general circulation
protection from being compelled to reveal the
source of any news report or information
appearing in said publication which was related
in any confidence to such publisher, editor, or
reporter. (Section 5)
SecuritY of Personal Information (Sec. 20)
The personal information controller must
implement reasonable and appropriate
organizational, physical and technical measures
intended for the protection of personal
information against any accidental or unlawful
destruction, alteration and disclosure, as well as
against any other unlawful processing.

Data Privacy Principles

Data Privacy Act
Principle of Accountability(Sec. 21)
Each personal information controller is
responsible for personal information under its
control or custody, including information that
have been transferred to a third party for
processing, whether domestically or

internationally, subject to cross-border

arrangement and cooperation.
 Risk-Based Approach
When an organization collects, stores, or uses
(i.e. processes) personal data, the individuals
whose data you are processing may be exposed
to risks.

It is important that the organization should take

steps to ensure that the data is handled legally,
securely, efficiently and effectively in order to
deliver the best possible care.

General Data PRIVACY PRINCIPLES (Sec. 11)

The processing of personal information shall be

allowed, subject to compliance with the
requirements of this Act and other laws allowing
disclosure of information to the public and
adherence to the principies of (1) transparency,
(2) legitimate purpose, and (3) proportionality.

General Data Privacy Principles (IRR)

Transparency* . The data subject must be aware of the nature,
purpose, and extent of the processin8 of his or her personal data,
including the risks and safeguards involved, the identity of personal
information controller, his or her rights as a data subject, and how
these can be exercised. Any information and communication relating to
the processing of personal data should be easy to access and
understand, using clear and plain language.
Legitimate purpose* - The processing of information shall be
compatible with a declared and specified purpose which must not be
contrary to law, morals, or public policy.

Proportionality The processing of information shall be adequate

relevant,suitable, necessaryY and not excessive in relation to a declared
and specified purpose. Personal data shall be processed only if the
purpose of the processing could not reasonably be fulfilled by other
means.
 Privacy Program Required
The law requires that any entity involved in data
processing must develop, implement_and review
procedures for the collection of personal data,
obtaining consent, limiting processing to defined
purposes, access management, providing recourse
to data Subjects, and appropriate data retention
policies.
These requirements necessitate the creation of a
privacy program. Requirements for technical
security safeguards in the act also mandate that an
entity have a security program.

General Data Privacy Principles (Sec. 11)

Personal information must, be (5):
(a) COLLECTED for specified and legitimate purposes determined
and declared before, or as soon as reasonably practicable after
collection, and later PROCESSED in a way compatible with such
declared, specified and legitimate purposes only;
(b) PROCESSED fairly and lawfully;
(c) Accurate, relevant and, where necessary for purposes for
which it is to be used the processing of personal information, kept
up to date; inaccurate or incomplete data must be rectified,
supplemented, destroyed or their further processing restricted;
(d) Adequate and not excessive in relation to the purposes for
which they are collected and processed;

Personal information must, be:

(e) RETAINED only for as long as necessary for the fulfillment
of the purposes for which the data was obtained or for thee
establishment, exercise or defense of legal claims, or for
legitimate business purposes, or as provided by law; and
(f) KEPT in a form which permits identification of data
subjects for no longer than is necessary for the purposes for
which the data were collected and processed: Provided, That
personal information collected for other purposes may lie
processed for historical, statistical or scientific purposes, and
in cases laid down in law may be stored for longer periods.
CRITERIA for Lawful Processing" of Personal Information (Sec. 12)

The processing of personal information shall be permitted

only (1) if not otherwise prohibited by law, and (2) when
at least ONE of the following conditions exists: (6) CPALE

(a) The data subject has given his or her CONSENT*;

(b) The processing of personal information is necessary
and is related to the fulfillment of a CONTRACT with the
data subject or in order to take steps at the request of the
data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a
LEGAL OBLIGATION to which the personal information
Controller is subject;

xxx and when at least one of the following conditions exists:

(d) The processing is necessary to protect VITALLÝY IMPORTANT
INTERESTS of the data subject, including life and health;
(e) The processing is necessary in order to respond to NATIONAL
EMERGENCY, to comply with the requirements of public order
and safety, or to fulfill functions of public authority which
necessarily includes the processing of personal data for the
fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the
LEGITIMATE INTERESTS pursued by the personal information
controller or by a third party or parties to whom the data is
disclosed, except where such interests are overridden by
fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.

General principles in collection,

processing and retention (IRR)
Simply put
The processing of personal data shall adhere to the following general
principles in the collection, processing, and retention of personal
data:
a. Collection must be for a declared, specified, and legitimate
purpose;
b. Personal data shall be processed fairly and lawfully;
C. Processing should ensure data quality;
d. Personal data shall not be retained longer than necessary; AND
e.
e. Any authorized further processing shall have adequate
safeguards.
 General principles in Data Sharing (IRR)

Further Processing_of Personal Data collected from a party

other than the Data Subject shall be allowed under any of the
following conditions:
a. Data sharing shall be allowed when it is expressly
authorized by law: Provided, that there are adequate safeguards for data
privacy and security, and processing adheres to principle of transparency,
legitimate purpose and proportionality.

b. Data Sharing shall be allowed in the private sector if the

data subject consents to data sharing; and
C. The data subject shall be provided with the following
information prior to collection or before data is shared.

Sensitive Personal Information and Privileged Information

(SPIPI/Sec. 13)
The processing of sensitive personal information and privileged
information shall be PROHIBITED, EXCEPI in the following cases:

(a) The data subject has given his or her CONSENT, specijfic to the
purpose prior to the processing, or in the case of privileged
information, all parties to the exchange have given their consent
prior to processing
(b) The processing ofthe same is provided for by EXISTING LAWS and
regulations: Provided, That such regulatory enactments guarantee
the protection of the SPIPI: Provided, further, That the consent of the
data subjects are not required by law or regulation permitting the
processing of the SPIPl;
(c) The processing is necessary to PROTECT THE LIFE AND HEALTH of
the data subject or another person, and the data subject is not
legally or physically able to express his or her consent prior to the
processing;
(d) The processing is necessary to achieve the LAWFUL AND
NONCOMMERCIAL OBJECTIVES OF PUBLIC ORGANIZATIONS and their
associations: Provided, That such processing is only confined and related to
the bona fide members of these organizations or their associations:
Provided, further, That the sensitive personal information are not
transferred to third parties: Provided, finally, That_consent of the data
subject was obtained prior to processing;
(e) The processing is necessary for purposes of MEDICAL TREATMENT, is
carried out by a medical practitioner or a medical treatment institution,
and an adequate level of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for
the protection of LAWFUL RIGHTS AND INTERESTS of natural or legal
persons in court proceedings, or the establishment, exercise or defense of
legal claims, or when provided to government
 Rights of the Data Subject
Data Privacy Act

Rights* of The Data Subject (Section 16) CPALE

(a) Right to be INFORMED that the personal information
shall be, are being or have been processed including
the existence of automated decision-making and profiling.
The disclosure must be made before the entry of data into
the processing system or at the next practical opportunity;

PRIOR DIsCLOSURE
Description ofthe personal data
Purposes for processing
Basis of processing, when not based on the consent of data
subject
Rights of The Data Subject (Section 16)
(a) Right to be INFORMED that the personal information
PRIOR DIsCLOSURE
Scope and method
Recipients or classes of recipients of personal data
Methods used for automated access, if allowed
Contact details for personal information controller or
representative
Retention period
Existence of rights of data subjects

Right to Object
The right to object to the processing of personal data,
includes the right to be notified and given an
opportunity to withhold consent to the processing in
case of any changes or any amendment to the
information supplied or declared.

Exceptions
Personal data is needed pursuant to a subpoena
Processing is for obvious purposes
Necessary for or related to a contract or service to which
the data subject is a party; or
Necessary or desirable in an employer-employee
relationship
Information is being processed as a result of a legal
obligation
 Rights of The Data Subject (Section 16)
(a) Right to be INFORMED that the personal information
shall be, are being or have been processed;
(b) Right to be FURNISHED the information indicated
hereunder before the entry of his or her personal
information into the processing system;
(c) Right to Reasonable ACCESS upon demand;
(d) Right to OBJECT/ DISPUTE the inaccuracy or
error in the personal information;

(e) Right to RECTIFY CORRECT, unless the request is

vexatious or otherwise unreasonable;
(e) Right to ERASURE or BLOCKING (suspend, withdraw or
order the blocking, removal or destruction of his or her
personal information from the personal information
controller's filing system;
(f) Right to DAMAGES sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained or
unauthorized use of personal information.

Right to Block or Remove

Available when personal data is-
Incomplete, outdated, false or unlawfully obtained
Used for unauthorized purposes
No longer necessary for purposes of collection
Private information prejudicial to data subject, unless justified
by freedom of speech, expression, or of the press, or otherwise
authorized
Data subject withdraws consent and objects to the processing,
and there is no other legal ground or overriding legitimate
interest
Part of unlawful processing
PIC or PlIP violated the rights of the data subiect
 Rights Of The Data Subject (Section 16)
The law enumerates rights that are familiar to
privacy professionals as related to the principles of
notice, choice, access, accuracy and integrity of
data.
Sec. 17- Transmissibility of Rights of the Data
Subject
Sec. 18 - Right to Data Portability (to obtain a copy

of such data in an electronic or structured format)

Right to Indemnification

Violations of data subject rights are sufficient

causes of action
Awards are in line with the Civil Code on
damages
Complainants must prove their case, not rely
on weakness

Collection, Processing, and Consent

The law states that the collection of personal data "must
be a declared, specified, and for a legitimate purpose"
and further provides that consent is required prior to the
collection of all personal data.

It requires that when obtaining consent, the data subject

be informed about the extent and purpose of processing,
and it specifically mentions the "automated processing of
his or her personal data for profiling, or processing for
direct marketing, and data sharing." Consent is further
required for sharing information with affiliates or even
mother companies.
Consent must be "freely given, specific, informed,
and the definition further requires that consent to
collection and processing be evidenced by
recorded means. However, processing does not
always require consent (Exceptions).

An exception to consent is allowed where

processing is necessary to pursue the legitimate
interests of the data controller, except where
Overridden by the fundamental rights and freedoms
of the data subject.

Outsourcing And Subcontracting Agreements

A personal information controller may

subcontract or outsource the processing of
personal data.

Processing by a personal information processor

shall be governed by a contract or other legal
act that binds the personal information
act

processor to the personal information controller.

Security Incident
An event or occurrence that affects or tends
to affect data protection
May compromise the availability, integrity and
confidentiality of personal data
Incidents that would have resulted in a
security breach had safeguards not been in
place.
Data Breach
A security incident:
- Leads to unlawful or unauthorized

processing of personal, sensitive, or

privileged information
-Compromises the availability, integrity, or
confidentiality of personal data
 Data Privacy and Security (IRR)

Personal information controllers and personal

information processors shall implement
reasonable and appropriate organizational,
physical, and technical security measures for the
protection of personal data.
The security measures shall aim to maintain the
availability, integrity, and confidentiality of
personal data.
Data Breach Notification

The Commission and affected data subjects shall be notified by

the personal information controller within_seventy-two (72)
hours (1) upon knowledge of, or (2) when there is reasonable
belief by the personal information controller or personal
information processor that, a personal data breach requiring
notification has occurred.

Notification of personal data breach shall be required when sensitive

personal information or any other information that may, under the
circumstances, be used to enable identity fraud are reasonably
believed to have been acquired by an unauthorized person, and the
personal information controller or the Commission believes that such
unauthorized acquisition is likely to give rise to a real risk of serious
harm to any affected data subject.

Mandatory Notification
The personal data involves sensitive personal
information or any other information that may
be used to enable identity fraud.
There is reason to believe that the information
may have been acquired by an unauthorized
person.
The unauthorized acquisition is likely to give
rise to a real risk of serious harm to any
affected data subject.
 In doubt? Consider
The likelihood of harm or negative consequences on
the affected data subjects;
How notification, could reduce the risks arising from
the personal data breach; and
.Ifthe data involves:
Information that would likely affect national security,
public safety, public order, or public health
-
At least one hundred (100) individuals
Information required by all applicable laws or rules to be
confidential; or
Personal data or vulnerable groups

Notification
Who must be notified?
The Commission

When notifications happens

.The Commission shall be notified within 72
hours upon knowledge of or reasonable belief
by the personal information processor that a
personal data breach has ocurred.
Data Breach Notification

Section 38 of the IRRs provides the

requirements of breach notification:
The breached information must be
sensitive personal information, or information
that could be used for identity fraud;
There is a reasonable belief that unauthorized
acquisition has occurred;
The risk to the data subject is real, and
The potential harm is serious.
 Contents of Notification (Sec. 39, IRR)

The contents of the notification must at least:

Describe the nature of the breach;
The personal data possibly involved;
The measures taken by the entity to address the
breach;
The measures taken to reduce the harm or negative
consequence of the breachn;
The representatives of the personal information
controlle, including their contact details;
Any assistance to be provided to the affected data
subjects.
Delay in Notification (Mandatory)
There shall be no delay in the notification (1) if
the breach involves at least one hundred (100)
data subjects, or (2) the disclosure of sensitive
personal information will harm or adversely
affect the data subject.

In any case, the Commission must be notified

within the 72-hour period based on available
information.
Delay in Notification (Exception)
Notification may only be delayed to the extent
necessary to determine the scope of the breach, to
prevent further disclosures, or to restore
reasonable integrity to the information and
communication systems.
Absolute certainty not required for notification.
Restoring integrity will not be considered if
prejudicial to data subject interest.
Delay in notification cannot be used to perpetuate
fraud or conceal the breach.
 Full Report and Contents

The full report of the personal data breach must

be submitted within five (5) days, unless the
personal information controller is granted
additional time by the Commission to comply.
Contents of Notification
- Nature of the Breach

Personal Data Possibly involved

-

Remedial Actions Taken

Registration and Compliance

Data Privacy Act
Who needs to register?
Registration of personal data processing systems operating in
the country that involves accessing or requiring sensitivee
personal information of at least one thousand (1,000)
individuals, including the personal data processing system of
contractors, and their personnel, entering into contracts with
government agencies.

The personal information controller or personal information

processor that employs fewer than two hundred fifty (250)
persons shallnot be required toregister unless the processing
it carries out is likely to (1) pose a risk to the rights and
freedoms of data subjects, (2) the processing is not
occasional, or (3) the processing includes sensitive personal
information of at least one thousand (1,000) individuals.

How do I remain in compliance of the Data Privacy Act?

Personal information controllers and personal

information processors shall comply with the
following guidelines for organizational security:
Appointing a Data Protection Officer;
Implement appropriate data protection policies;
Maintain records that sufficiently describe its
data processing system;
Selecting and supervising its employees, agents,
or representatives; and
Exercising a breach reporting procedure.
 Offenses Punishable under DPA
SEC. 25. Unauthorized Processing of Personal
Information and Sensitive Personal Information
Without the consent of the data subject or without
being authorized by the DPA or any other law
SEC. 26. Accessing Personal Information and
Sensitive Personal Information Due to
Negligence
SEC 27. Improper Disposal of Personal
Information and ensitive Personal Information
Placed the personal information of an individual inha
container for trash collection

SEC. 28. Processing of Personal Information and

Sensitive Personal Information for Unauthorized
Purposes
SEC. 29 Unauthorized Access or lntentiona
Breach
- Knowingly and violate data
unlawfully
confidentiality and security data systems

SEC. 30. Concealment of Security Breaches

Involving Sensitive Personal Information
Either intentionally or by omission conceals the fact of such
breach
SEC. 31. Malicious Disclosure (with malice or in bad
faith, discloses unwarranted or false information relative to any
personal information or personal sensitive information obtained by
him or her)

SEC. 32. Unauthorized Disclosure (who discloses to a

third party personal information not covered by the immediately
preceding section without the consent of the data subject)
 Offenses Punishable under DPA

Sec. 33. Combination or Series of Acts

Sec. 34. Extent of Liability
-

Aliens may be deported

Sec. 35. Large-Scale
- When more than 100 persons are harmed, affected

Sec. 36. Offense Committed by Public Officer

Sec. 37. Restitution

Liability for Violation

Unauthorized processing, negligent handling, or
improper disposal of personal information is
punishable with up to six (6) years
imprisonment or up to four million pesos (PHP
4,000,000), depending on the nature and degree
of the violation.

Required Reading
Statutes and Circulars
RA 10173. Data Privacy
Act
Implementing Rules and
Regulations of the Data
Privacy Act
NPC Circular No. 16-03.
Data Breach Management
NPC Circular No. 17-01.
Registration of Data
Processing Systems
Advisories
NPC Advisory No. 2017-01
Designation of Data
Protection Officers.
NPC Advisory No. 2018-01
and 2018-02. Security
Incident and Data Breach
Report Reportorial
Requirements.
"COMMITTED TO YOUR CPA REVIEW NEEDS