1

MESSAGE

The need to raise awareness in data privacy and security remains vital in empowering
our citizens and our nation. In fulfillment of its mandate, the National Privacy Commission
(NPC) continues to guide and educate the Filipinos, both data subjects and personal
information controllers (PICs) or personal information processors (PIPs) on data privacy
and protection through the annual release of its Compendium.

The Compendium of NPC Issuances is not only a reliable source of information and
guide to our citizens and stakeholders, it is also a body of work that demonstrates the
Commission’s commitment in ensuring that the basic human right to privacy is protected.

In 2022, we faced various privacy issues and concerns which were promptly addressed by
the Commission within the purview of its mandate. Such issues and concerns ranges from
health information, employment records, and requests for public officials’ information up
to matters concerning data subject rights, criteria for lawful processing, and penalties for
privacy violators provided under the Data Privacy Act of 2012 (DPA).

With this, the 2022 Compendium of NPC Issuances is composed of 29 Advisory Opinions,
18 Decisions, 37 Resolutions, 4 Circulars, 1 Frequently Asked Questions (FAQ), and 1 Joint
Administrative Order that aims to educate our citizens on various data privacy concerns.

Indeed, this Compendium also serves as the collective labor and desire of the Commission
to always bring its role as partner-regulator to the next level – may it be in guiding the
data subjects to know their rights or in assisting PICs and PIPs to adequately comply with
the DPA.

With this, the Commission hopes that this Compendium will continue to inspire data
privacy champions and allies in joining us in our vision towards a secure and world-class
data privacy environment in the Philippines. Equally, may it also encourage Filipinos to
remain curious and be citizens that aim to rigorously safeguard the right to privacy.

(Sgd.) ATTY. JOHN HENRY D. NAGA

Privacy Commissioner

2 THE 2022 COMPENDIUM OF NPC ISSUANCES

MESSAGE

The significant increase in the processing of personal data has resulted in an intensified
awareness of the Data Privacy Act of 2012 (DPA). In fact, a recent study found that people
are becoming more interested in learning about data privacy and how the National Privacy
Commission (NPC) can protect their personal information. The results of the study also
indicate that more individuals are starting to look at data privacy as something important
and relevant to them.

Building on this interest and the growing importance being given to data privacy, the
NPC is pleased to present this compendium that presents a consolidated overview of its
issuances in the year 2022. This material serves as an invaluable resource for those who
seek to deepen their understanding of the law and its application to practical situations and
experiences. In particular, the pseudonymized version of the Decisions and Resolutions of
the Commission En Banc aim to provide clarity and guidance on various matters related to
the application of the DPA, its IRR, and other issuances of the NPC.

The various issuances of the NPC seek to remind Personal Information Controllers (PICs),
Personal Information Processors (PIPs), and data subjects about their concomitant
responsibilities under the DPA. The protection of our personal information is not just the
work of a single person, but it is a shared responsibility between those who process
personal data and the data subjects who own that data. By reading the discussions
provided herein, I hope that any misconceptions or misinterpretations of the law can be
addressed and, ultimately, not only decrease the privacy risks for data subjects but also
increase the level of compliance of PICs and PIPs.

Finally, I encourage everyone to not lose sight of what data privacy is all about – to protect
the fundamental right to privacy of human beings – us, as data subjects. Developing a
better and correct understanding of the general privacy principles and the lawful criteria
for processing our personal information, among other things, is a step closer to what
the NPC has always envisioned – a culture of privacy, where everyone can confidently
share their information because they know that their right to privacy is protected and
respected. With our collective efforts, I am confident that we can thrive, flourish, and
establish an environment that fosters privacy, innovation, and growth.

(Sgd.) ATTY. LEANDRO ANGELO Y. AGUIRRE

Deputy Privacy Commissioner

3
MESSAGE

In recent years, particularly during the COVID-19 pandemic, there has been a significant
surge in the generation, storage, and transmission of personal data through digital
platforms. This rise in digital platforms and services, coupled with the rapid growth of data,
has raised substantial concerns regarding data privacy and protection. The extensive use
of digital platforms has led to data breaches, unauthorized access, and the misuse of
personal information.

Recognizing these emerging challenges, the National Privacy Commission (NPC) has
proactively addressed these issues by continuously adjusting its policies and regulations,
in line with the demands of this ever-evolving digital landscape. It has likewise remained
true to its commitment to uphold and safeguard individuals’ data privacy rights by
incorporating them into its policies, plans, and programs; and empower the public with the
knowledge and tools necessary to protect their data and privacy rights amidst evolving
technological threats.

In line with this commitment, the Commission has compiled recent issuances into this
Compendium. Through this, the NPC aims to provide a valuable platform for data subjects,
privacy professionals, businesses, government agencies, and other stakeholders engaged
in the processing and protection of personal data. By doing so, we seek to facilitate
stakeholders’ active participation in the privacy landscape, foster greater awareness,
and encourage responsible handling of personal data among organizations, ultimately
creating a safer and more secure digital environment for everyone.

Let’s come together and recognize the vital importance of data privacy in our lives. My
heartfelt hope is that this Compendium serves as a trusted companion, inspiring individuals
who are dedicated to protecting and promoting the privacy rights of our fellow citizens.
With each reader’s involvement, let’s nurture a shared commitment to data privacy.

(Sgd.) ATTY. NERISSA N. DE JESUS

Deputy Privacy Commissioner

4 THE 2022 COMPENDIUM OF NPC ISSUANCES

MESSAGE

In this Fourth Industrial Revolution, data privacy has become a global priority. Technology,
innovation, and rapid digital transformation challenge the traditional notions of how we
perceive and use data in an increasingly complex world.

The Philippines is in a period of dynamic digital shift across all sectors. In the government,
the digitalization of public services to enhance bureaucratic efficiency is an administrative
priority and a part of the 8-point socioeconomic agenda of His Excellency President
Ferdinand R. Marcos, Jr.

This agenda is rooted in the state policy that a secured and protected information and
communications technology ecosystem will promote the free flow of information, which
is vital for nation-building. This was tested no less by our lessons from the COVID-19
pandemic. Poor data privacy practices erode public trust and result in an inaccurate,
delayed, and constricted flow of information that negatively impacts the fight against the
novel threat. However, when data is collected in secure and protected environments, we
gain access to truthful and accurate data that is crucial for informed policies, decisions,
strategies, and interventions on both local and international scales.

In a similar manner, the private sector has become more open to the adoption and
development of data-driven technologies, products, services, and other offerings to
remain ahead of the competition. In this respect, private companies no matter the size,
now appreciate the value of incorporating data privacy and security practices in their
systems, processes, and policies.

Despite these developments, we should remain cognizant that building a secure and
resilient digital ecosystem for the Philippines is an arduous endeavor. Many industries,
even the government, are still in the infancy stages of their data protection journey.
Our data privacy awareness campaigns have seen successful strides, but much work is
needed to develop policies, regulations, and infostructure that can support privacy-first
initiatives.

Our work now teaches future leaders and provides them with concrete examples of how
to approach grey areas in the application of data privacy concepts to new ideas and
concepts. It is, therefore, our solemn commitment to assure our stakeholders that their
National Privacy Commission (NPC) shall continue to deliver Advisory Opinions, Advisories,
and Circulars that are relevant to changing times and responsive to their needs.

5
We must remember that the NPC is given the distinct opportunity to witness, understand,
and address the complexities faced by our stakeholders and influence the steps they
take. Thus, we must remain true to our mandate, act with diligence, and work together
towards the common goal of laying the foundations of data protection in the Philippines.

I wish to express my confidence and trust in the officials and employees of the NPC who,
through perseverance and dedication, have demonstrated great capabilities to advance
the public interest considerations inherent in data privacy protection.

This 2022 Compendium will be a guiding instrument for all our stakeholders. It is reflective
of the NPC’s evolving views of data privacy and protection and indicative of our strategies
to enforce the Data Privacy Act through varying levels of regulatory action.

I trust that the NPC, under the Marcos Administration and in partnership with the
Department of Information and Communications Technology, will continue to be
instrumental on the path to recovery and nationwide transformation.

To all the officials and employees of the NPC, mabuhay!

(Sgd.) ATTY. IVIN RONALD D.M. ALZONA

Executive Director IV

6 THE 2022 COMPENDIUM OF NPC ISSUANCES

7
 ADVISORY OPINION
14 ADVISORY OPINION NO. 2022-001
PHILHEALTH’S PUBLICATION OF THE LIST OF HEALTH
CARE PROVIDERS WITH DENIED OR RETURN-TO-
HOSPITAL CLAIMS

18 ADVISORY OPINION NO. 2022-002

DISCLOSURE BY CAR DEALERS/AUTOMOTIVE REPAIR
SHOPS OF PERSONAL DATA OF THE ABANDONED
VEHICLE OWNERS

22 ADVISORY OPINION NO. 2022-003

REQUEST FOR A COPY OF COMPLAINTS FILED AND
RECORDS IN RELATION THERETO

25 ADVISORY OPINION NO. 2022-004

DISCLOSURE OF INCAPACITATED PATIENTS AND
DECEASED PATIENTS’ MEDICAL INFORMATION

30 ADVISORY OPINION NO. 2022-005

REQUEST FOR NAMES AND ADDRESSES
OF VEHICLE OWNERS FROM THE LAND
TRANSPORTATION OFFICE

37 ADVISORY OPINION NO. 2022-006

REQUEST FOR CUSTOMER’S PERSONAL DATA
AND TRANSACTION HISTORY WITH A PRIVATE
COURIER

43 ADVISORY OPINION NO. 2022-007

TRANSPORT OF PHYSICAL MEDIA CONTAINING
PERSONAL DATA

48 ADVISORY OPINION NO. 2022-008

OBTAINING EMPLOYMENT RECORD OR
CERTIFICATION FROM THE SOCIAL SECURITY SYSTEM

8 THE 2022 COMPENDIUM OF NPC ISSUANCES

 51 ADVISORY OPINION NO. 2022-009
PUBLICATION OF FORMER EMPLOYEES’ NAMES AND
SEVERANCE FROM EMPLOYMENT

55 ADVISORY OPINION NO. 2022-010

REQUEST FOR OPINION ON PRIVACY MATTERS
CONCERNING TRANSFER OF ASSETS/LIABILITIES

70 ADVISORY OPINION NO. 2022-011

PERSONAL DATA RETENTION AND DELETION

80 ADVISORY OPINION NO. 2022-012

REMEDIES AGAINST THE ALLEGED DATA BREACH
INVOLVING WORKABROAD.PH (WORKABROAD)

86 ADVISORY OPINION NO. 2022-013

ONLINE LENDING MOBILE APPLICATION
PERSMISSIONS

93 ADVISORY OPINION NO. 2022-014

RECORDING AND UPLOADING OF ONLINE CLASSES

98 ADVISORY OPINION NO. 2022-015

USE OF CAMERA DURING SURVEILLANCE VISITS

105 ADVISORY OPINION NO. 2022-016

REQUEST FOR PERSONAL INFORMATION OF OFWs
DEPLOYED IN THE MIDDLE EAST AND OTHER
MUSLIM COUNTRIES

9
 111 ADVISORY OPINION NO. 2022-017
DISCLOSURE OF PERSONAL INFORMATION FOR
CYBERSECURITY INVESTIGATIONS

118 ADVISORY OPINION NO. 2022-018

DATA SUBJECT RIGHTS IN THE PHILIPPINE
IDENTIFICATION SYSTEM

125 ADVISORY OPINION NO. 2022-019

USE OF BODY-WORN CAMERA BY SECURITY
PERSONNEL

130 ADVISORY OPINION NO. 2022-020

CIVIL REGISTRY DOCUMENT REQUEST BY A PERSON
OTHER THAN THE OWNER

135 ADVISORY OPINION NO. 2022-021

PUBLICATION OF INFORMATION OF LIST OF
WHOLESALE ELECTRICITY SPOT MARKET (WESM)
MEMBERS AND RETAIL CUSTOMER INFORMATION
UNDER RETAIL COMPETITION AND OPEN ACCESS
(RCOA) AND GREEN ENERGY OPTION PROGRAM
(GEOP).

141 ADVISORY OPINION NO. 2022-022

DISCLOSURE OF COVID-19 SWAB TEST RESULTS IN
GROUP CHAT

142 ADVISORY OPINION NO. 2022-023

DISCLOSURE OF STUDENTS’ PERSONAL DATA FOR
CASE BUILD-UP PURPOSES

151 ADVISORY OPINION NO. 2022-024

FREE FLOW OF DATA

10 THE 2022 COMPENDIUM OF NPC ISSUANCES

 156 ADVISORY OPINION NO. 2022-025
201 FILES OF GOVERNMENT EMPLOYEES

162 ADVISORY OPINION NO. 2022-026

DISCLOSURE OF PERSONAL DATA THROUGH THE
DATABASE OF INDIVIDUALS BARRED FROM TAKING
CIVIL SERVICE EXAMINATIONS AND FROM ENTERING
GOVERNMENT SERVICE (DIBAR)

168 DECISIONS
584 RESOLUTIONS
CIRCULARS
962 NPC Circular No. 2022-01
GUIDELINES ON ADMINISTRATIVE FINES

968 NPC Circular No. 2022-02

AMENDING CERTAIN PROVISIONS OF NPC
CIRCULAR NO. 20-01 ON THE GUIDELINES ON THE
PROCESSING OF PERSONAL DATA FOR LOAN-
RELATED TRANSACTIONS

974 NPC Circular No. 2022-03

GUIDELINES FOR PRIVATE SECURITY AGENCIES
ON THE PROPER HANDLING OF CUSTOMER AND
VISITOR INFORMATION

981 NPC Circular No. 2022-04

REGISTRATION OF PERSONAL DATA PROCESSING
SYSTEM, NOTIFICATION REGARDING AUTOMATED
DECISION-MAKING OR PROFILING, DESIGNATION OF
DATA PROTECTION OFFICER, AND THE NATIONAL
PRIVACY COMMISSION SEAL OF REGISTRATION

11
 1002 FREQUENTLY ASKED QUESTIONS ON THE
GUIDELINES ON ADMINISTRATIVE FINES

1011 JOINT ADMINISTRATIVE ORDER NO. 22-01

Series of 2022

12 THE 2022 COMPENDIUM OF NPC ISSUANCES

13
ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0011

2022 - 001
11 February 2022

Re: PHILHEALTH’S PUBLICATION OF THE LIST OF HEALTH

CARE PROVIDERS WITH DENIED OR RETURN-TO-
HOSPITAL CLAIMS

Dear

We write in response to your request for an Advisory Opinion received by the

National Privacy Commission (NPC) seeking clarification on whether the publication
of the list of health care facilities with denied or return-to-hospital (RTH) claims,
including the reasons thereof, violates the provisions of the Data Privacy Act of
20122 (DPA), its Implementing Rules and Regulations3 (IRR) and other issuances
of the NPC.

You stated in your letter that the Philippine Health Insurance Corporation
(PhilHealth), in the interest of transparency and right to information of the public, is
considering the publication of the abovementioned list. The proposed publication
emanated from allegations that the PhilHealth still owes certain amounts of money
when, upon verification, most of such pending claims were actually denied or RTH
claims.

Claims are denied when the same are violative of existing PhilHealth laws, rules
and regulations (e.g., fraudulent claims, medical condition or procedure is not
compensable under the All Case Rate policy or filed beyond the prescribed period)
or returned to health care facilities for correction of deficiencies (e.g., incomplete
attachments, improperly filled out claim forms) and to be refiled once corrected.
We further understand from your letter that the PhilHealth is mandated to establish
a mechanism

1 Tags: scope of the DPA; juridical entities; legal obligation; public authority; law or regulation; general data privacy
principles; proportionality; sensitive personal information.
2 An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).
3 Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173 (2016).

14 THE 2022 COMPENDIUM OF NPC ISSUANCES

for feedback aimed at improving the quality of service and to periodically inform
the public of the performance of accredited health care providers, including
accreditation that has been suspended
or revoked by PhilHealth.4

You now ask whether such publication is allowed under the DPA.

Scope of the DPA; health care providers

The DPA applies to the processing of all types of personal information and
sensitive personal information (collectively, personal data) and to any natural or
juridical person involved in the processing of personal data.5

This means that the scope of the DPA, with regard to the subject matter, is limited
only to the processing of personal data or data pertaining to natural persons
or individuals. Data pertaining to juridical entities (e.g., company name, address,
financial information, etc.) are not covered by the DPA.

With this, we refer to the definition of health care institution under the revised IRR
of the National Health Insurance Act of 2013, as amended:

Health Care Institution — refers to health facilities that are accredited with
Philhealth which includes, among others, hospitals, ambulatory surgical clinics, TB-
DOTS, freestanding dialysis clinics, primary care benefits facilities, and maternity
care package providers. 6

From the foregoing, health care institutions are therefore juridical persons. We
wish to clarify that publications involving the details of juridical entities, do not
fall within the ambit of the DPA. We emphasize that the DPA is only limited to the
processing of personal data or information of natural persons. 7

We wish to clarify further that should the terms “health care institution” or “health
care facility” include health care professionals who are natural persons and there
will be publications involving the details of the said natural persons, the provisions
of the DPA shall apply.8

Lawful processing; legal obligation; functions of public

authority; law or regulation

In case the publication will involve personal data as discussed above, such
processing by PhilHealth may be based on the applicable criterion under Sections
12 or 13 of the DPA, for the processing of personal information and sensitive
personal information, respectively.

Specifically, Section 12 (c) and (e) or Section 13 (b) may be applicable:

SECTION 12. Criteria for Lawful Processing of Personal Information. — The

processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists: x x x

4 Rules and Regulations Implementing the National Health Insurance Act of 2013, Republic Act No. 7875 as
amended, § 79 (2004).
5 Data Privacy Act of 2012, § 4.
6 Rules and Regulations Implementing the National Health Insurance Act of 2013, as amended, § 3 (w).
7 Data Privacy Act of 2012, § 4 in relation to § 3 (g) and 3 (l).
8 Ibid.

ADVISORY OPINION NO. 202-001 15

 (c) The processing is necessary for compliance with a legal obligation to which the
personal information controller is subject; x x x

(e) The processing is necessary in order to respond to national emergency, to

comply with the requirements of public order and safety, or to fulfill functions
of public authority which necessarily includes the processing of personal data
for the fulfillment of its mandate; or x x x

SECTION 13. Sensitive Personal Information and Privileged Information. —

The processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases: x x x

(b) The processing of the same is provided for by existing laws and regulations:
x x x.

The above is read in relation to the IRR of Republic Act (RA) No. 7875, as amended,
otherwise known as the National Health Insurance Act of 2013, which mandates
PhilHealth to establish a mechanism for feedback to inform the public about the
performance of accredited health care providers, to wit:

SECTION 79. Mechanism for Feedback. — A mechanism aimed at improving quality

of service shall be established by the Corporation to periodically inform health care
providers, program administrators and the public of the performance of accredited
health care providers. The Corporation shall make known to the general public
information on the performance of accredited health care providers, including the
release of names of those of good standing as well as those whose accreditation
has been suspended or revoked by the Corporation.

In pursuit of informed choice as enunciated in the Act, feedback reports shall

include information on the amount reimbursed by the Corporation vis-a-vis the
actual charges billed by the accredited health care provider.9

The publication of personal data may be allowed since such processing is

necessary for PhilHealth’s compliance with its legal obligation, as the agency
tasked to implement universal health coverage in the country, to inform the public
about the performance of accredited health care providers which includes those
with denied or RTH claims. The publication of personal data is also in ecognition
of PhilHealth’s fulfillment of its mandate under the revised IRR of the National
Health Insurance Act of 2013 to provide a mechanism for fe dback to improve the
quality of service.
General data privacy principles; proportionality; sensitive
personal information; anonymization
But as a personal information controller (PIC), PhilHealth must still adhere to
the general data privacy principles of transparency, legitimate purpose, and
proportionality.10 Specific to the principle of transparency, PhilHealth should
ensure that the health care providers involved are informed about the details of
this type of processing (i.e., publication of the list of health care providers with
denied or RTH claims).

This may be achieved through a privacy notice that will explain the purpose
for posting the list (i.e., to periodically inform health care providers, program
administrators and the public of the

9
Id. § 79.
10
Data Privacy Act of 2012. § 11. performance of accredited health care providers). The privacy notice should also

16 THE 2022 COMPENDIUM OF NPC ISSUANCES

state the means for the data subjects to correct any inaccurate information and
other details upon posting of the initial list which will help them exercise their
rights under the DPA.

For proportionality, this requires that the processing of personal data shall be
adequate, relevant, suitable, necessary, and not excessive in relation to a declared
and specified purpose.11 In this regard, PhilHealth should consider indicating
a specific period in its publication (e.g., “as of December 2021”) to ensure its
accuracy.

Philhealth must assess what particular personal data should be published in

relation to its purpose of informing the general public about health care providers
with denied and RTH claims.

Sensitive personal information of doctors, nurses, midwives, dentists, pharmacists

or other healthcare professionals or practitioners such as their license numbers,
other government-issued identification numbers, marital status, date of birth,
among others, should not be published as these may already be deemed irrelevant
to the declared and specified purpose. From Philhealth’s 15 December 2021 letter,
we note that the purpose for the publication or processing of personal data is
to inform the public about health care providers with denied or RTH claims. This
purpose can be achieved by processing only the necessary personal information
(i.e., posting the list of names of health care professionals) since the names would
already identify the parties concerned. Publication of the above sensitive personal
information would be excessive in relation to such purpose.

Lastly, we note that the reasons for the denied or RTH claims will also be published.
Philhealth must ensure that no personal data of patients shall be included in the
publication. The general reasons as stated by Philhealth, e.g., fraudulent claims,
medical condition or procedure is not compensable under the All Case Rate policy,
filed beyond the prescribed period, should already suffice. Any other detailed
disclosure of the reasons behind why certain claims are denied or returned are
only relevant and necessary for the information of the health care facilities only
and not the public.

This opinion is based solely on the limited information you have provided. Additional
information may change the context of the inquiry and the appreciation of facts.
This opinion does not adjudicate issues between parties nor impose any sanctions
or award damages.

For your reference.

Very truly yours,

(Sgd.) IVY GRACE T. VILLASOTO

OIC – Director IV, Privacy Policy Office

11
Data Privacy Act of 2012, § 11 (d).

ADVISORY OPINION NO. 202-001 17

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0021

2021 - 002
11 February 2022

Re: DISCLOSURE BY CAR DEALERS/AUTOMOTIVE REPAIR

SHOPS OF PERSONAL DATA OF THE ABANDONED
VEHICLE OWNERS

Dear

We write in response to the request for an Advisory Opinion

received by the National Privacy Commission (NPC) regarding the
disclosure by car dealers/automotive repair shops of personal data
of abandoned vehicle owners.

We understand that your client is engaged in the business of operating

car dealerships and repair shops. In line with this, several vehicles it
received for repair and/or maintenance as early as 2015 remain in
its possession despite notice to the owners of the completion of
service/s. This has caused prejudice to your client as the vehicles
require sustained maintenance and space causing undue cost and
potential legal issues in relation thereto.

We understand further that a number of these vehicles were

purchased under financing arrangements with banks or financing
companies. As the vehicles have been left in the repair shop for
several months, if not years, there is the probability that the owners
have stopped amortization payments for the abandoned vehicles.

You now ask whether informing the concerned mortgagee banks

or financing companies on the status of the unclaimed vehicles that
1
Tags: disclosure of personal data; lawful basis for processing; legitimate interest; legal claims.
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this purpose a National Privacy Commission and for other Purposes [Data Privacy
Act of 2012], Republic Act No. 10173 (2012).

18 THE 2022 COMPENDIUM OF NPC ISSUANCES

they have financed is sanctioned under the Data Privacy Act of
20122 (DPA), particularly as a valid disclosure falling under Section
12 (f) on legitimate interest.
Lawful processing of personal information; legitimate
interest of personal information controllers; Section 12 (f)
of the Data Privacy Act of 2012

Under the DPA, the processing of personal information shall be

permitted only if not otherwise prohibited by law, and when at
least one of the conditions under Section 12 of the law exists. One
condition under the law is processing necessary for the purposes of
the legitimate interests of the personal information controller (PIC)
or by a third party to whom the data is disclosed,3 to wit:

“(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.”

In the determination of legitimate interest, the following must be

considered:4

1. Purpose test – The existence of a legitimate interest must be clearly

established, including a determination of what the particular processing
operation seeks to achieve;
2. Necessity test – The processing of personal information must be
necessary for the purpose of the legitimate interest pursued by the PIC
or third party to whom personal information is disclosed, where such
purpose could not be reasonably fulfilled by other means; and
3. Balancing test – The fundamental rights and freedoms of data subjects
must not be overridden by the legitimate interests of the PIC or third party,
considering the likely impact of the processing on the data subjects.

Indeed, legitimate interest as a ground for lawful processing of

personal data is a flexible concept that may be applicable in certain
instances where processing will not have unwarranted impacts on
the rights and freedoms of data subjects.5

3
Data Privacy Act of 2012, §12 (f).
4
See: National Privacy Commission, Advisory Opinion Nos. 2021-10 (March 22, 2021) and 2020-50 (Nov. 26, 2020)
citing Data Privacy Act of 2012, § 12 (f); United Kingdom Information Commissioner’s Office (ICO), What is the
‘Legitimate Interests’ basis?, available at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-
regulationgdpr/ legitimate-interests/what-is-the-legitimate-interests-basis/.
5
Article 29 Data Protection Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller
under Article 7 of Directive 95/46/EC, Adopted on 9 April 2014 (available at https://ec.europa.eu/justice/article-29/
documentation/opinion-recommendation/files/2014/wp217_en.pdf).
6
Id.

ADVISORY OPINION NO. 202-002 19

Nevertheless, PICs that consider relying on this basis should undergo
a legitimate interest assessment using the aforementioned tests as
guidance, and document the outcome of the assessment. This gives
data subjects some guarantee that this criterion for processing will
not be misused.6

We emphasize as well that legitimate interest is applicable only

to the processing of personal information. If the disclosure will
involve sensitive personal information, the PIC should determine the
appropriate lawful basis under Section 13 of the DPA.

Adherence to the general data privacy principles

Nonetheless, the existence of a lawful basis for disclosure of personal

or sensitive personal information (collectively, personal data) under
the DPA is just one of the requirements in relation to the processing
personal data. PICs are still required to adhere with the principles
of transparency, legitimate purpose, and proportionality prescribed
under the law.7

In this case, the data subjects involved must be informed that their
personal data will be disclosed to the banks/financing companies in
relation to the abandoned vehicles. This may be embodied through
an appropriate notice sent to the vehicle owner’s last known
address and/or contact details stating the actions the PIC intends to
make. It is suggested that a similar privacy notice be prepared and
made part of the documentation with respect to future repairs and
maintenance service contracts, or other similar agreements of your
client.

The PIC is also reminded that the disclosure to the banks and/or
financing companies should be limited to its declared and specified
purpose, and that only those personal data that is adequate, relevant,
suitable, necessary, and not excessive in relation to the purpose
should be disclosed. Thus, personal data disclosed to the banks and
financial companies should be limited to information necessary to
identify the owner and the vehicle.

In addition, it is expected that the proposed disclosure will be done

with accuracy – in that the details of a particular vehicle owner and
abandoned vehicle should only be disclosed to the bank or financing
company that financed the purchase of the vehicle and not to all
possible banks or financing companies. Disclosures cannot be done
in an indiscriminate manner since it would violate the principle of
proportionality.

7
Data Privacy Act of 2012, §11.

20 THE 2022 COMPENDIUM OF NPC ISSUANCES

Finally, we note that it was unclear how the banks and/or financing
companies involved in the financing of specific abandoned vehicles
were determined by the PIC. We highlight that in the identification
of these banks and/or financing companies, it is important that PICs
likewise observe compliance with the general data privacy principles
and other provisions of the DPA.

This opinion is based solely on the limited information you have

provided. Additional information may change the context of
the inquiry and the appreciation of facts. This opinion does not
adjudicate issues between parties nor impose any sanctions or
award damages.
For your reference.

Very truly yours,

(Sgd.) IVY GRACE T. VILLASOTO

OIC-Director IV, Privacy Policy Office

ADVISORY OPINION NO. 202-002 21

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0031

2022 - 003
14 February 2022

Re: REQUEST FOR A COPY OF COMPLAINTS FILED AND

RECORDS IN RELATION THERETO

Dear

We write in response to your request for an Adviso1y Opinion

received by the National Privacy Commission (NPC) on whether
to grait the request for a copy of the complaints previously filed
against a certain doctor in 2018 by five (5) medical bodies including
the documents provided by the said doctor in relation to such
complaints.

We understai1d that the documents requested will be used by the

requestor in co1mection with a case filed by the doctor against the
said requestor.

Sensitive personal information; lawful processing;

establishment, exercise or defense of legal claims under
Section 13(f) of the Data Privae1; Act of 2012

Republic Act No. 10713, otherwise known as the Data Plivacy Act
of 20122 (DPA), provides a specific enumeration of personal data
classified as sensitive personal information w1der the law, one of
which involves a data subject’s information pertaining to offenses
ai1d the incidence in relation thereto, to wit:

“(I) Sensitive personal information refers to personal information: x x x

1
Tags: sensitive personal infonnation; lawful processing; protection of lawful rights and interest of natural or legal
persons in cotut proceedings; establishment, exercise or defense of legal claims.
2
An Act Protecting Individual Personal Info,mation in Infonuation and Communications Systems in the Govemment
and the Private Sector, Creating for this Purpose a National Privacy Collllllission, and for Other Purposes [Data Privacy
Act of 2012), Republic Act No. 10173 (2012).

22 THE 2022 COMPENDIUM OF NPC ISSUANCES

 (2) About ai1 individual’s health, education, genetic or sexual life of a
person, or

to any proceeding for any offense committed or alleged to have been

committed by such person, the disposal of such proceedings, or the
sentence of any court in such proceedings.” 3 (emphasis supplied)

In fine, any (1) proceeding for any offense committed or alleged

to have been committed by a data subject; (2) the disposal of the
proceedings; or (3) the sentence of any court in such proceedings,
are considered as sensitive personal information under the DPA.

Although there is a prohibition under the law to process sensitive

personal information, the DPA also provide for exceptions to this
rule. Section 13 (f) recognizes the processing which concerns the
establishment, exercise, or defense of legal claims. The provision
reads:
“SEC. 13. Sensitive Personal Information and Privileged Information. – The
processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases: x x x

(f) The processing concerns such personal information as is necessary

for the protection of lawful rights and interest of natural or legal persons
in court proceedings or the establishment, exercise, or defense of legal
claims, or when provided to government or public authority.”4

It must be noted that in the determination on whether a request

based on the aforementioned provision should be granted, “the
legitimacy of the purpose and the proportionality of the equest shall
be taken into consideration”.5

We understand that the request received by the Department of

Health (DOH) was in the form of an email communication without
any detail as to what the pending case is. To satisfy the DOH on
the legitimacy of the purpose of the request, it may opt to require
the requestor to provide additional information on the case. But this
requirement shall still adhere to the principle of proportionality, and
whatever additional information received shall be used solely for
the purpose of aiding the DOH in deciding whether to release the
requested documents.

3
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for other purposes [Data
Privacy Act of 2012] Republic Act No. 10173, § 3 (l) (2) (2012).
4
Data Privacy Act of 2012, § 13 (f).
5
See: National Privacy Commission, NPC Advisory Opinion No. 2021-044 (Dec. 29, 2021).

ADVISORY OPINION NO. 202-003 23

It is likewise suggested that the DOH establish a system to handle
such requests, to streamline the process and make it more efficient
in case there will be similar requests in the future.

The DOH may also clarify with the requestor if instead of the release
of the actual copies of the complaints and related documentation, an
official certification from the DOH stating the details or a summary
of the complaints filed, i.e., names of the medical bodies, nature of
the complaints, date filed, status, etc., should suffice.

Should the request be granted, the DOH should require the requestor
to sign an undertaking to the effect that the requestor recognizes that
the use of the documents will be for the sole purpose of protecting
his rights and interests in the case filed against him and that the use
thereof beyond its declared purpose may equate to unauthorized
processing penalized under the pertinent provision of the DPA. It
is also important to include a clause in the undertaking whereby
the requestor acknowledges that his receipt of the requested
documents carries with it the obligations of a personal information
controller under the DPA.6

This opinion is based solely on the limited information you have

provided. Additional information may change the context of the
inquiry and the appreciation of facts. This opinion does not adjudicate
issues between parties nor impose any sanctions or award damages.

For your reference.

Very truly yours,

(Sgd.) IVY GRACE T. VILLASOTO

OIC-Director IV, Privacy Policy Office

6
Id

24 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0041
2022 - 004

15 February 2022

Re: DISCLOSURE OF INCAPACITATED PATIENTS AND

DECEASED PATIENTS’ MEDICAL INFORMATION

Dear

We write in response to your request for an Advisory Opinion received

by the National Privacy Commission (NPC) to provide guidance on
the disclosure of the medical information of incapacitated patients
and deceased patients.

We understand from your letter that St. Luke’s Medical Center

(SLMC), in providing medical and healthcare services, encounters
cases wherein a patient is unconscious or otherwise unable to give
consent. Furthermore, you provided that SLMC is faced with issues
whenever the said patient’s relatives, other than his or her spouse,
common-law spouse or child who is already transacting with SLMC,
ask for updates about the patient’s medical condition and request
for the medical records of the patient.

1
Tags: sensitive personal infonnation; lawful processing; protection of lawful rights and interest of natural or legal
persons in cotut proceedings; establishment, exercise or defense of legal claims.
2
An Act Protecting Individual Personal Info,mation in Infonuation and Communications Systems in the Govemment
and the Private Sector, Creating for this Purpose a National Privacy Collllllission, and for Other Purposes [Data Privacy
Act of 2012), Republic Act No. 10173 (2012).

ADVISORY OPINION NO. 202-004 25

You now seek guidance and clarification on the relatives who can give
consent on behalf of the patient in the above scenario. Specifically,
you asked the following:

1. Who has the right to receive (i) medical documents; and (ii)
status updates regarding an incapacitated patient?

a. Can any heir or relative of the patient request for medical documents
and status updates from the hospital?
b. Can other relatives be excluded by next-of-kin from receiving medical
documents and status updates?
c. Who should be our default recipient of medical documents and status
updates?
2. In case relatives disagree on the issue of disclosing the status of patient’s
medical condition and documents, what is the hierarchy on knowing who
to follow?
a. Do we follow the spouse first, then children, then parents? What if the
spouse and the children disagree?
b. For children of legal age who disagree on a decision of sharing medical
condition
and documents of the patient, do we follow the eldest or do we put it to
a vote? Do we have the obligation to reach out to absent children of legal
age?
3. Do we have the obligation to search for an absent next-of-kin to give
status updates?

4. Will the answers to queries above change if the patient expires? Does
the existence of legal heirs exclude other relatives from securing medical
documents from the hospital (e.g., a parent requesting medical records
of a deceased son/daughter who has predeceased his or her spouse and
children)?
Rights of data subjects; right to access; transmissibility
of rights

Data subjects are entitled to various rights under the Data Privacy
Act of 20122 (DPA) and its Implementing Rules and Regulations3
(IRR). One of the rights granted is the right of reasonable access to,
upon demand, the contents of one’s personal data that have been
processed, among other information relating to the processing of
his or her personal information and sensitive personal information
(collectively, personal data).4

2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).
3
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173 (2016).
4
Data Privacy Act of 2012, § 16 (c) (2012).

26 THE 2022 COMPENDIUM OF NPC ISSUANCES

This right to access, however, may be limited in certain instances.
In the current scenario, the following provision of NPC Advisory No.
2021-01 on Data Subject Rights may be taken into consideration:

“SECTION 8. Right to Access. — x x x

C. The following instances, where applicable, may limit the right to

access: x x x

4. Consideration of the safety of the data subject. In exceptional

cases and subject to any applicable ethical guidelines, limitations
on the right to access may apply if in the professional evaluation
and determination of the PIC, providing access to the requested
information may cause serious harm to the physical, mental, or
emotional health of the data subject.”5

Otherwise, the personal information controller (PIC) is obliged to

grant the request of the data subject.

The right to access, along with the other rights of data subjects,
must be read together with Section 17 of the DPA on transmissibility
of rights. The provision states that the lawful heirs and assigns of the
data subject may invoke the rights of the data subject for which he
or she is an heir or assignee at any time after the death of the data
subject or when the data subject is incapacitated or incapable of
exercising the rights under the DPA.6

Please take note that the DPA does not distinguish nor identify the
persons considered to be the “lawful heirs and assigns of the data
subject”. Hence, the determination of such matter may be guided
by the general laws on the hierarchy of legal heirs provided under
several provisions of the Civil Code of the Philippines on the laws of
succession and the rules on guardianship of incompetent persons.

Incapacitated and deceased data subjects; legal heirs

and assigns

As to the determination of the heir or relative who has the right to

receive medical documents and status updates of an incapacitated
patient, we reiterate that the DPA does not distinguish the legal heirs

5
National Privacy Commission, Data Subject Rights [NPC Advisory No. 2021-01], § 8 (c) (4) (29 Jan 2021).
6
Data Privacy Act of 2012, § 17.
7
SPECIAL PROCEEDINGS, Rule 92, § 2.
8
Id., Rule 93, § 1.

ADVISORY OPINION NO. 202-004 27

and assigns of an incapacitated data subject. The DPA may not be
the appropriate law to be used as basis under this circumstance. With
this, reference may be made to the general laws on the hierarchy
of heirs and legal assigns identified under various provisions of the
Civil Code or the rules on guardianship over incompetent persons7
under the Rules of Court on Special Proceedings,8 whichever may
be applicable to the particular scenario and subject further to such
other laws, regulations, and guidelines as may be applicable.

We note that this does not preclude SLMC, as a PIC, from crafting
policies on the classification of relatives, the exclusion of other types
of relatives and the designation of a default relative who may receive
medical documents and status updates. Likewise, due regard must
be given to ethical guidelines that may apply.

The above shall also apply in case of disagreement among relatives

on the issue of disclosing the status of a patient’s medical condition.
To reiterate, SLMC may refer to the hierarchy of heirs provided by
the Civil Code on the laws of succession or the rules of guardianship
over incompetent persons under the Rules of Court on Special
Proceedings, whichever may be applicable, in the crafting of its
policies on the disclosure of a patient’s medical condition and
records.

With regard to SLMC’s obligation to search for an absent next-of-

kin, the DPA does not require PICs to do this. The NPC is also not
privy to any laws or regulations which require healthcare providers
to exhaust all means to search for an absentee next-of-kin. As far
as the DPA is concerned, an incapacitated data subject still has
the right to exercise his or her rights under the law through a legal
heir or assign. If an incapacitated person does not have any other
heir to whom status updates may be provided, SLMC may consider
searching for the said heir through reasonable efforts.

Lastly, as to the applicability of the above discussions to deceased

patients, we wish to reiterate our position. The rights of deceased
data subjects, similar to incapacitated data subjects, can still be
exercised through the transmissibility of rights under Section 17
of the DPA. Similarly, the DPA does not distinguish on whether a
different set of rules and procedure would apply to deceased and
incapacitated data subjects. The DPA may not be the appropriate
law for this circumstance, and accordingly, SLMC may refer to the
laws on succession, and the laws on testate succession in case the
deceased left a will and designated a person to attend to his or her

28 THE 2022 COMPENDIUM OF NPC ISSUANCES

medical records. Moreover, it may be more appropriate to refer to
the said law with regard to the strict application of the rules on the
exclusion of other relatives.

We emphasize that, as far as the DPA is concerned, the rights of

data subjects including those who are deceased, incapacitated
or otherwise incapable of exercising such rights, are respected.
Although, the DPA does not distinguish the groups of relatives who
may exercise the same, the rights of the deceased or incapacitated
data subjects are still existent and may be exercised by his or her
lawful heirs and assigns, subject to existing laws on succession and
guardianship, whichever may be applicable. The foregoing laws
referred to above may be considered, guided by applicable rules
and ethical guidelines and considerations that the health sector is
subject to.

It is the responsibility of the PIC to establish policies on addressing

issues on disclosures to relatives, subject to the applicable laws
and rules. SLMC must still implement appropriate and reasonable
security measures in the disclosure of medical information to legal
heirs and assigns. For example, SLMC may implement policies
on properly identifying the heirs of deceased and incapacitated
patients by requiring the presentation of certain documents to prove
their identities. Further, the fact of disclosure to the heir must be
documented (i.e., the heir may be asked to sign certain documents
to record such disclosure). In the establishment of these policies,
SLMC should also consider the inclusion of policies and mechanisms
on ensuring that the requesting party, acting on behalf of the data
subject, is clearly informed of the reason in case of the limitation or
denial of the request, as required under Section 14 of NPC Advisory
No. 2021-01.

This opinion is based solely on the limited information you have

provided. Additional information may change the context of the
inquiry and the appreciation of facts. This opinion does not adjudicate
issues between parties nor impose any sanctions or award damages.

For your reference.

Very truly yours,

(Sgd.) IVY GRACE T. VILLASOTO

OIC-Director IV, Privacy Policy Office

ADVISORY OPINION NO. 202-004 29

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0051

2022 - 005
24 February 2022

Re: REQUEST FOR NAMES AND ADDRESSES OF VEHICLE

OWNERS FROM THE LAND TRANSPORTATION OFFICE

Dear

We write in response to your inquiry received by the National Privacy

Commission (NPC), endorsed by the Department of the Interior
and Local Government (DILG), on the Land Transportation Office’s
(LTO’s) denial of your request for the names and addresses of the
owners of some allegedly noisy vehicles in a certain locality.

We understand that you filed an email complaint with the LTO on

“nuisance due to noisy vehicles” in your village. Together with the
email complaint, you requested for the names and addresses of the
owners of the noisy vehicles for the filing “of formal/legal charges of
damages due to the pain and sufferings from the emotional distress
and mental anguish cause[d] by the noisy vehicles.”
We also understand that the LTO responded to your email complaint
and stated that they already issued proper notices for the owners
of the noisy vehicles “to show cause, as part of due process, their
defense.” The LTO likewise denied your request, stating that the
Data Privacy Act of 20122 (DPA) prohibits disclosure of personal
information without consent.
Criteria for lawful processing of personal information

The name and address of a vehicle owner are personal information,

the processing of which is covered by the DPA. We wish to clarify

1
Tags: lawful processing; consent; legitimate interest; protection of lawful rights and interest of natural or legal
persons in court proceedings; establishment, exercise or defense of legal claims.
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012)

30 THE 2022 COMPENDIUM OF NPC ISSUANCES

that the LTO’s statement that the DPA prohibits them from disclosing
personal information without consent is not entirely accurate.
Consent is not the only lawful basis for processing personal
information. Section 12 of the DPA provides for the various criteria
for lawful processing, to wit:

SEC. 12. Criteria for Lawful Processing of Personal Information. – The

processing of personal information shall be permitted only if not
otherwise prohibited by law, and when at least one of the following
conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related
to the fulfillment of a contract with the data subject or in order to
take steps at the request of the data subject prior to entering into
a contract;
(c) The processing is necessary for compliance with a legal obligation
to which the
personal information controller is subject;
(d) The processing is necessary to protect vitally important interests
of the data subject, including life and health;
(e) The processing is necessary in order to respond to national
emergency, to comply with the requirements of public order and
safety, or to fulfill functions of public authority which necessarily
includes the processing of personal data for the fulfillment of its
mandate; or
(f) The processing is necessary for the purposes of the legitimate
interests pursued by the personal information controller or by a
third party or parties to whom the data is disclosed, except where
such interests are overridden by fundamental rights and freedoms
of the data subject which require protection under the Philippine
Constitution.3
The LTO should determine whether the request for the disclosure
of the information falls under any other criteria for lawful processing
of personal information. We emphasize that consent will not always
be the most appropriate lawful basis, considering the relationship of
the personal information controller (PIC) with the data subject and
purpose of the processing, among others.

3
Data Privacy Act of 2012, § 12.
4
United Kingdom Information Commissioner’s Office (ICO), What is the ‘Legitimate Interests’ basis?, available https://
ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
legitimateinterests/what-is-the-legitimate-interests-basis/ [last accessed on 18 January 2022]

ADVISORY OPINION NO. 202-005 31

Legitimate interests as lawful basis for processing
personal information

We understand that the purpose for the request of the names and
addresses of the motor vehicle owners is for the filing of a civil action
for damages “due to the pain and sufferings from the emotional
distress and mental anguish cause[d] by the noisy vehicles.” It is
worthy to assess whether the purpose of the request falls under
Section 12 (f) of the DPA which provides for legitimate interests as a
lawful basis for the processing of personal information.

‘Legitimate interests’ is different from the other criteria for lawful

processing of personal information as it is not centered around a
specific purpose, nor is it processing that the individual has specifically
agreed to – it can, in principle, apply to any type of processing for
any reasonable purpose.4

Since processing based on legitimate interests can apply to a

wide range of circumstances, there is a need to balance legitimate
interests, the necessity of the processing and the rights of the
individuals while taking into consideration the circumstances.5
Thus, in the determination of a legitimate interest, the personal
information controller (PIC) must consider the following:
1. Purpose test – The existence of a legitimate interest must be clearly
established, including a determination of what the particular processing
operation seeks to achieve;
2. Necessity test – The processing of personal information must be
necessary for the purpose of the legitimate interest pursued by the PIC
or third party to whom personal information is disclosed, where such
purpose could not be reasonably fulfilled by other means; and
3. Balancing test – The fundamental rights and freedoms of data subjects
must not be overridden by the legitimate interests of the PIC or third party,
considering the likely impact of the processing on the data subjects.6

The LTO should have assessed the request based on the

aforementioned tests considering the specific purpose declared
in the request. As a PIC who holds a repository of personal and
sensitive personal information, it is expected that it should have

5
Id.
6
See generally, Data Privacy Act of 2012, § 12 (f); United Kingdom Information Commissioner’s Office (ICO), What
is the ‘Legitimate Interests’ basis?, available https://ico.org.uk/for-organisations/guide-to-data-protection/guide-
to-the-generaldata-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/ [last
accessed on 18 January 2022].
7
1997 Rules of Procedure, as Amended, Rule 1, § 3 (a).
8
National Privacy Commission, BGM vs. IPP, NPC 19-653 (Dec. 17, 2020).

32 THE 2022 COMPENDIUM OF NPC ISSUANCES

policies and processes in place to evaluate whether a request for
information constitutes a legitimate interest of a requesting party,
among other lawful bases for processing.
Establishment of legal claims as a legitimate interest;
Section 13 (f)

The processing of personal information for the filing of formal/

legal charges for damages is a legitimate interest. An action for
the recovery of damages is characterized as a civil action. A civil
action is one by which a party sues another for the enforcement or
protection of a right, or the prevention or redress of a wrong.7
While there is an existing administrative case initiated through the email complaint,
it will not address the violation of the civil rights of a complainant. Thus, an
administrative case does not preclude the filing of a civil action for damages.

The Commission, in BGM vs. IPP8, had the occasion to explain that the protection
of lawful rights and interests under Section 13 (f) of the DPA is considered as
legitimate interest pursuant to Section 12 (f) of the DPA:

Based on the foregoing, the disclosure to be made by the Respondent of

the information of the recipient of Complainant’s personal information, for
purposes of identification of

the person liable for the alleged fraud, sans the latter’s consent, is
necessary for the tprotection of the lawful rights and interests of the
Complainant as contemplated by Section 13 (f) of the DPA.

Although Section 13 (f) applies to sensitive personal information while the

information involved in this case is just personal information, the protection
of lawful rights and interests under Section 13 (f) by the Respondent is
considered as legitimate interest pursuant to Section 12 (f) of the DPA.
This section provides that it is lawful to process personal information
if it is necessary for the purposes of the legitimate interests pursued
by the personal information controller or by a third party or parties to
whom the data is disclosed, except where such interests are overridden
by fundamental rights and freedoms of the data subject which require
protection under the Philippine Constitution.

By application in the instant case, Respondent may not be held liable for
unauthorized processing should it disclose the requested information
to Complainant as its disclosure would be in pursuance of the latter’s
legitimate interest as the same cannot be fulfilled by other means.

It should be stressed, however, that having a legitimate purpose or some

other lawful criteria to process does not result in the PIC granting all request
to access by the data subjects. Such requests should be evaluated on a
case to case basis and must always be subject to the PIC’s guidelines for
the release of such information.

Thus, the processing of personal information for the establishment

ADVISORY OPINION NO. 202-005 33

of legal claims is permitted under the DPA. “Establishment” may
include activities to obtain evidence by lawful means for prospective
court proceedings.
General data privacy principle; proportionality;
accountability

While there may be lawful basis for your request, any disclosure
of personal information should still be proportional to the stated
purpose.

The principle of proportionality provides that “the processing of

information shall be adequate, relevant, suitable, necessary, and not
excessive in relation to a declared and specified purpose. Personal
data shall be processed only if the purpose of the processing could
not reasonably be fulfilled by other means.”9

You are requesting LTO for the names and registered addresses of the
owners of noisy vehicles you have identified through photographs of
their plate numbers. The purpose of which is for the filing of “formal/
legal charges of damages.” Since your request is only for the said
information, LTO cannot provide more than that. The principle of
proportionality necessitates that only the information requested
and necessary for the purpose indicated should be processed.

While the letter request you sent to LTO is a mass request for
information of several individuals, the request for each motor vehicle
owners’ information should be treated as individual requests. To this
effect, LTO must require further information from you, the requesting
party, to ensure a comprehensive evaluation of whether to grant
each request for

information and decide on a case-by-case basis. You, on the other

hand, must be able to provide sufficient information to support each
of the requests. In Advisory Opinion 2022-003, we opined that
additional information may be required by the granting party to
ascertain the validity of the purpose for the request:
To satisfy the DOH on the legitimacy of the purpose of the request, it may opt
to require the requestor to provide additional information on the case. But this
requirement shall still adhere to the principle of proportionality, and whatever
additional information received shall be used solely for the purpose of aiding the
DOH in deciding whether to release the requested documents.

9
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173 (2016), § 18 (c).

34 THE 2022 COMPENDIUM OF NPC ISSUANCES

LTO must establish a system for handling these types of requests
for information to avoid the possibility of abuse. As a request for
personal information for the filing of a legal action falls under the
legitimate interests of the requesting party, the system must assess
the request if it satisfies the three aforementioned tests. It must
also provide for a mechanism to ensure that the information to be
disclosed will only be used for the purpose/s indicated.

In Advisory Opinion No. 2021-044, it was recommended that in case

a request for personal information is granted, the requesting party
should be required to sign an undertaking that the information will
only be used for the purpose that was declared:
Should the CHMSC grant the request, it is suggested that the Requesting Party be
required to sign an undertaking that the use of the documents will only be for the
purpose of filing a complaint with the Ombudsman and that the proper disposal
thereof is ensured if he does not push through with the filing of the complaint.
Further, the undertaking must include a clause to the effect that the requestor
acknowledges that he becomes a PIC by his receipt of the requested documents
and therefore has the obligations of a PIC as prescribed under the DPA.

Thus, LTO should similarly require a requesting party to sign an

undertaking that the information that will be acquired will only be
used for the purpose which was declared and authorized.

Lastly, we wish to underscore that should the information be

provided, its use is limited to the declared purpose of filing formal/
legal charges by the concerned or affected individual who allegedly
suffered damages. Thus, the sharing, posting or any publication of
such information in any public-facing platform such as social media
pages or your public Facebook group, “BF Resort Village People,” is
prohibited. While you may coordinate your efforts in filing an action
for damages through such platforms, you must do so in a way that
will not result in the publication of the information that you might
acquire from LTO.

We caution that should there be processing beyond the stated

purpose, the same may be penalized under the appropriate
provisions of the DPA, such as Unauthorized Processing of Personal
Information, Processing of Personal Information for Unauthorized
Purposes or Unauthorized Disclosure which carry penalties of
“imprisonment ranging from one (1) year to three (3) years and a
fine of not less than Five hundred thousand pesos (Php500,000.00)
but not more than Two million pesos (Php2,000,000.00)”,10 one (1)
year and six (6) months to five (5) years and a fine of not less than
10
Data Privacy Act of 2012, § 25(a).

ADVISORY OPINION NO. 202-005 35

Five hundred thousand pesos (Php500,000.00) but not

more than One million pesos (Php1,000,000.00) ,11 or “imprisonment

ranging from one (1) year to three (3) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more
than One million pesos (Php1,000,000.00),”12 respectively.
This opinion is based solely on the limited information you have provided. Additional
information may change the context of the inquiry and the appreciation of facts.
This opinion does not adjudicate issues between parties nor impose any sanctions
or award damages.

For your reference.

Very truly yours,

(Sgd.) IVY GRACE T. VILLASOTO

OIC-Director IV, Privacy Policy Office

cc : VIVIAN P. SUANSING
Director III/Officer-in-Charge, Bureau of Local Government Supervision
Department of the Interior and Local Government
[email protected]

ROBERTO A. VALERA
Deputy Director, Law Enforcement Service
Land Transportation Office
[email protected]

JO-ANN R. ALCID, Program Director

ATTY. VERNICE C. LIWAG-PRIETO, Detailed Public Attorney
Department of Justice Action Center
[email protected]

11
Data Privacy Act of 2012, § 28, par.1.
12
Id. § 32.

36 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0061
2022 - 006

28 February 2022

Re: REQUEST FOR CUSTOMER’S PERSONAL DATA AND

TRANSACTION HISTORY WITH A PRIVATE COURIER

Dear ,

We write in response to your request for an Advisory Opinion

received by the National Privacy Commission (NPC) on whether
to grant the request of the Philippine Drug Enforcement Agency
(PDEA) for certain personal data including the transaction history of
one of your clients.
We understand that your company is engaged in logistics delivery
and e-commerce business, acting as courier of parcels of your
customers for delivery to their own clients. Thus, the company
processes personal information of its customers as well as the
latter’s clients.
We understand further that the PDEA request was made pursuant
to an ongoing investigation of the individual named in the request
for illegal drug trafficking by means of courier platforms.
Further, we understand that there is an existing Memorandum
of Agreement (MOA) between your company and the PDEA on
coordination and mutual assistance for the effective and efficient
implementation of the Comprehensive Dangerous Drugs Act of
2002, 2 with provisions on the duties and obligations of the parties,
which includes assistance in the collection, processing, and analysis
of information on illegal drug activities. The pertinent provisions
included in your letter reads, viz:

1
Tags: special cases; public authority; law enforcement; constitutional and statutory mandate; proportionality.
2
An Act Instituting The Comprehensive Dangerous Drugs Act Of 2002, Repealing Republic Act No. 6425, Otherwise
Known As The Dangerous Drugs Act Of 1972, As Amended, Providing Funds Therefor, And For Other Purposes
[Comprehensive Dangerous Drugs Act of 2002], Republic Act No. 9165 (2002)

ADVISORY OPINION NO. 202-006 37

 a. Assist the PDEA in collecting, processing, and analyzing information on
illegal drug activities by promptly notifying it within (24) (sic) hours;
b. Assist PDEA in gathering information, monitoring, and identification of
suspected
drug trafficking activities;
c. Relay, deliver and report timely intelligence information or all other
information
obtained in the course of their business shall be brought to the PDEA for
the purpose of anti-drug operations;

xxx

m. To grant access to the authorized members of the PDEA, to the

merchandise/items being sold, or about to be transported from the seller
and/or from their
facility/warehouse to the prospective buyer/client, whenever there is
an intelligence report of merchandise, item or good suspected to be
containing dangerous drugs and controlled precursors and essential
chemicals.”

You mentioned that your company is inclined to deny the request in

view of the prohibitions of the Data Privacy Act of 20123 (DPA) but
noted the exceptions under Section 4 (e) of the law pertaining to
information necessary in order to carry out the functions of public
authorities. You now ask whether your company may grant the
PDEA’s request.
Scope of the DPA; special cases under the DPA; public
authority; mandate; law enforcement

The DPA and its Implementing Rules and Regulations4 (IRR) provide
for a list of specified information which do not fall within the scope
of the law. 5 In particular, information necessary to carry out the
functions of a public authority are considered special cases under
the IRR, to wit:
“SECTION 5. Special Cases. The Act and these Rules shall not apply to the
following specified information, only to the minimum extent of collection,
access, used, disclosure or other processing necessary to the purpose,
function, or authority concerned: x x x

d. Information necessary in order to carry out the functions of public

authority, in accordance with a constitutionally or statutorily mandated
function pertaining to law enforcement or regulatory function, including
the performance of the functions of the independent, central monetary

3
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).
4
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173 (2016).
5
Id. § 4 (e) (2012). necessary to achieve the specific purpose, function or activity.”6 (Underscoring supplied)

38 THE 2022 COMPENDIUM OF NPC ISSUANCES

 authority, subject to restriction provided by law. Nothing in this Act shall
be construed as having amended or repealed Republic Act No. 1405,
otherwise known as the Secrecy of Bank Deposits Act; and Republic Act
No. 9510, otherwise known as the Credit Information System Act (CISA);

xxx

Provided, that the non-applicability if the Act or these Rules do not extend
to personal information controllers or personal information processors who
remain subject to the requirements of implementing security measures
for personal data protection: Provided further, that the processing of the
information provided in the preceding paragraphs shall be exempted
from the requirements of the Act only to the minimum extent necessary
to achieve the specific purpose, function or activity.”6 (Underscoring
supplied)

The above special case provides for qualifications or limitations

on the application of the provisions of the DPA and its IRR. This
means that when the personal and/or sensitive personal information
(collectively, personal data) is needed to be processed by a public
authority, such as the PDEA, pursuant to its statutory mandate,
the processing of such personal data may be allowed under the
law, to the minimum extent of collection, access, use, disclosure,
or other processing necessary to the purpose, function, or activity
concerned.

The following should guide the company in relation to the above-

quoted provision:

a) The information is necessary in order to carry out the law

enforcement functions. Where the processing activity violates the
Constitution, or any other applicable law, the processing will not be
considered necessary for law enforcement purposes;
b) The processing is for the fulfillment of a constitutional or statutory
mandate; and
c) There is strict adherence to all due process requirements. Where
there is a nonconformity with such processes, such processing shall
not be deemed to be for a special case.7

Please also note that the interpretation of the aforementioned

provision shall be strictly construed - only the specified information
is outside the scope of the DPA, and the public authority remains

6
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173, § 5 (d) (2016).
7
See: National Privacy Commission, NPC Advisory Opinion No. 2021-018 (18 June 2021).
8
See: National Privacy Commission, NPC Advisory Opinion Nos. 2020-015 (24 Feb 2020) and 2021-028 (16 July 2021).

ADVISORY OPINION NO. 202-006 39

subject to its obligations as a personal information controller (PIC)
under the DPA such as implementing security measures to protect
personal data, upholding the rights of data subjects, and adhering
to data privacy principles, among others.8

We further note that the PDEA is created under the Comprehensive

Dangerous Drugs Act of 2002. Under the law, one of PDEA’s powers
and duties is the initiation of investigative operations related to drug
related activities, to wit:
“(b) Undertake the enforcement of the provisions of Article II of this
Act relative to the unlawful acts and penalties involving any dangerous
drug and/or controlled precursor and essential chemical and investigate
all violators and other matters involved in the commission of any crime
relative to the use, abuse or trafficking of any dangerous drug and/or
controlled precursor and essential chemical x x x” (Underscoring supplied)

Thus, PDEA’s request for personal data and transaction history of

your identified client may fall under the processing of personal data
under a special case as discussed above vis-à-vis its mandate.
Data sharing; data sharing agreements

A data sharing agreement (DSA) refers to a contract, joint issuance or

any similar document which sets out the obligations, responsibilities,
and liabilities of the PICs involved in the transfer of personal data
between or among them, including the implementation of adequate
standards for data privacy and security and upholding rights of data
subject.

We note that the MOA you executed with PDEA may be considered
as a form of DSA as majority of its provisions deal with further
processing of personal data in your possession.

Indeed, although the execution of a DSA is not mandatory, it is still

considered as a best practice as provided under NPC Circular No.
2020-039, to wit:

“SECTION 8. Data sharing agreement; key considerations. – Data sharing

may be covered by a data sharing agreement (DSA) or a similar document
containing the terms and conditions of the sharing agreement, including
obligations to protect the personal data shared, the responsibilities of the
parties, mechanism through which data subjects may exercise their rights,
among others.

9
National Privacy Commission, Data Sharing Agreements [NPC Circular No. 2020-03] (23 December 2020).

40 THE 2022 COMPENDIUM OF NPC ISSUANCES

 The execution of a DSA is a sound recourse and demonstrates accountable
personal data processing, as well as good faith in complying with the
requirements of the DPA, its IRR, and issuances of the NPC. The Commission
shall take this into account in case a complaint is filed pertaining to such
data sharing and/or in the course of any investigation relating to, as well
as in the conduct of compliance checks.”

It is also important to note that data sharing may be based on any

of the criteria for lawful processing of personal data in Sections 12
and 13 of the DPA and also in pursuant to Section 4 of the law which
enumerates the special cases.

As discussed above, although DSAs are not mandatory, the execution

of such agreement is encouraged as the same demonstrates
accountability of the involved PICs.
General data privacy principles; proportionality

However, we emphasize that while there may be a legal ground in

the granting of the request, the same shall only be to the minimum
extent and in proportion to the purpose declared in their request,
in keeping with the general data privacy principle of proportionality.

Thus, the disclosure should be adequate, relevant, suitable, necessary,

and not excessive in relation to a declared and specified purpose.
These qualifiers serve as the measures by which a determination
can be made on whether processing is proportional and justified
in relation to the declared purpose. Further, this principle requires
that personal data shall only be processed if the purpose of the
processing could not reasonably be fulfilled by other means.

Therefore, indiscriminate disclosure of all personal data in your

possession might not be the best recourse as this could be a violation
of the principle of proportionality.

For this purpose, the company should check the different categories
of personal data that it processes to have an initial determination of
whether the disclosure thereof is relevant to the PDEA’s investigation
based on the information in the letter request as well as the other
discussions between the company and PDEA. Alternatively, the
company may disclose to PDEA the categories of personal data
that it has and ask PDEA for feedback on the particulars of what
they need and how the same relates to the investigation.

ADVISORY OPINION NO. 202-006 41

Finally, please note that the discussions above pertain to the
processing of personal data as provided for under the DPA, its IRR,
and issuances of the NPC and do not encompass the appropriate
requirements for the validity of a search and/or seizure of the
contents of the parcel/s of your clients.

This opinion is based solely on the limited information you have

provided. Additional information may change the context of the
inquiry and the appreciation of facts. This opinion does not adjudicate
issues between parties nor impose any sanctions or award damages.

For your reference.

Very truly yours,

(Sgd.) IVY GRACE T. VILLASOTO

OIC-Director IV, Privacy Policy Office

42 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0071
2022 - 007

28 February 2022

Re: TRANSPORT OF PHYSICAL MEDIA CONTAINING

PERSONAL DATA

Dear ,

We write in response to your request for an advisory opinion received

by the National Privacy Commission (NPC or the Commission) on
whether the act of transporting physical media that may contain
personal and sensitive personal information (collectively, personal
data) is considered as “processing” of the personal data that are
contained therein under existing data privacy legislation such as
the Data Privacy Act of 20122 (DPA), its Implementing Rules and
Regulations (IRR) and applicable NPC issuances.

We understand that your company is a courier and logistics company

engaged in pick-up, transport and delivery of mails, letters, pouches,
cargoes and personal effects of all kinds, wherein the collection and
processing of the personal data of both the shipper (sender) and of
the consignee (receiver) are necessary parts of its business.

Further, we understand that among the items that are endorsed

to your company for delivery are physical media such as paper
documents, laptops, and other data storage devices that may
contain personal data.
1 Tags: personal information controller; personal information processor; processing; personal information; liability;
damages; accountability.
2 An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).

ADVISORY OPINION NO. 202-007 43

You now come to the Commission to seek clarification on the
following matters:

1. Whether the act of transporting physical media that may contain

personal data be considered as “processing” of the personal data that
are contained therein under the DPA, IRR and applicable NPC issuances?
2. Whether a courier company is liable under existing data privacy
legislation in the event of loss or damage to the shipment of a physical
media that contains personal data?
3. Can the data subject claim for damages from the courier company for
data privacy breach if such data subject becomes a victim of identity fraud
or identity theft arising from the lost or damaged shipment of a physical
media that may contain personal data?

Personal information controller and processor; personal

information; processing

A personal information controller (PIC) is the person or organization

who controls the collection, holding, processing or use of personal
information, including a person or organization who instructs another
person or organization to collect, hold, process, use, transfer or
disclose personal information on his or her behalf.3 There is control
if the natural or juridical person or any other body decides on what
information is collected, or the purpose or extent of its processing.4

On the other hand, a personal information processor (PIP) is any

natural or juridical person to whom a PIC may outsource the
processing of personal data pertaining to a data subject.5

Based on the definitions, and as described in your letter with regard

to the business of your company, it is apparent that your company
is a PIC with regard to the personal data of shippers (sender) and
consignees (receiver) and should therefore comply with all of its
obligations under the DPA.

However, there is a need to clarify and define its role and obligations
with respect to its supervision or control over physical media that
are endorsed to it for pick-up, transport and or delivery.
3
Data Privacy Act of 2012, § 3 (h).
4
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173, § 3 (m).
5
Data Privacy Act of 2012, § 3 (i).
6
Id. § 3 (g).

44 THE 2022 COMPENDIUM OF NPC ISSUANCES

The DPA defines personal information as any information whether
recorded in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly ascertained
by the entity holding the information, or when put together with
other information would directly and certainly identify an individual.6

Whereas processing of personal information, refers to any operation

or any set of operations performed upon personal information
including, but not limited to, the collection, recording, organization,
storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.

Considering the above, physical media being transported may or

may not contain personal data. In the instance that such contains
personal data, the identity of an individual may or may not be
apparent and cannot be ascertained by your company.

We should distinguish between situations wherein your company

has knowledge or should have knowledge on whether the physical
media endorsed to it for pick-up, transport and delivery contains
personal data because such is apparent on its face or due to the
nature of its engagement with the other PIC/s, such as but not limited
to the pick-up, transport and or delivery of credit cards, credit card
statements, bills, passports, civil registry documents, and the like.

As for transactions wherein your company has no way of knowing

whether the physical media endorsed to it for pick-up, transport and
delivery contains personal data, it cannot be said outright that your
company is engaged in personal data processing. In these cases, the
company would only be acting as a PIC in relation to the personal
data of the shipper (sender) and consignee (receiver).

In addition, we must emphasize that in order for the company to

be considered as a PIP in this instance, the PIC-consignor has to
declare that the physical media contains personal information and
that there is likewise the declaration that it is acting as a PIC and
the intention of the transaction is to make the company a PIP.
However, in transactions wherein the consignor is an individual who
holds, processes, or uses personal information in connection with
one’s personal, family, or household affairs, the company, cannot be
considered as a PIP, as in this situation the law provides that in such
an instance, the individual involved is not considered as a PIC.

ADVISORY OPINION NO. 202-007 45

Therefore, to determine the company’s role in transporting physical
media, the above declarations from the consignor should be made
in an appropriate form provided by the company.
Determination of liability; loss or damage physical media
which contains personal data

The determination of liability in the event of loss or damage to

the transportation of physical media which contains personal data
would generally be covered by the ordinary terms and conditions
of a given service, or some other law or regulation applicable to
a courier for any normal loss, damage, and or destruction to the
physical media endorsed to it for pick-up, transport and delivery.

The same will not automatically constitute a data privacy violation

under the DPA. Following the discussion above, this determination
will depend on whether the company is acting as a PIP or not either
because it knew or should have known that the physical edia
contains personal data or pursuant to its contract with its PIC. In
the latter case, it’s liability may be determined based on the pecific
terms of its contract with its PIC and its level of compliance with its
duty as a PIP.
Specific to loss or damage, we refer further to Sections 26 of the
DPA on Accessing Personal Information and Sensitive Personal
Information Due to Negligence. If the loss or damage resulted in
allowing an unauthorized person to have access to the personal
information contained in the physical media through negligence,
the determination of the presence of negligence and the ensuing
liability may depend on whether the company is transporting the
physical media as a PIP.
Damages for personal data breach; principle of
accountability

As to the claim of damages by data subjects, the determination of

liability and indemnification for any damages sustained are made on
a case-to-case basis.

We reiterate that pursuant to the principle of accountability

nder Section 21 of the DPA, each PIC is responsible for personal
information under its control or custody, including information that
have been transferred to a third party for processing, whether
domestically or internationally, subject to cross-border arrangement
and cooperation. Whereas, the PIP has the duty to comply with the
requirements of the DPA, its Rules, other applicable laws, and other
issuances of the Commission, in addition to obligations provided in
a contract or other legal act with a PIC.7

46 THE 2022 COMPENDIUM OF NPC ISSUANCES

Further, the DPA IRR provides that the PIC and PIP shall implement
reasonable and appropriate security measures for the protection of
personal data8 and shall aim to maintain the availability, integrity, and
confidentiality of personal data and are intended for the protection
of personal data against any accidental or unlawful destruction,
alteration, and disclosure, as well as against any other unlawful
processing.9 Such measures should be implemented to protect
personal data against natural dangers such as accidental loss or
destruction, and human dangers such as unlawful access, fraudulent
misuse, unlawful destruction, alteration and contamination.

As discussed, the liability of the company may also depend on certain

factors: first, the personality of the consignor-shipper, whether the
same is considered as a PIC under the DPA or not, and second, if the
consignor-shipper declared to the company that the physical media
contains personal data.

Lastly, it is suggested that the company consider implementing

changes to its processes so that it is duly informed at the outset on
whether a consignor is a PIC and that the intention of the transaction
is to make the company a PIP, and whether particular items shipped
contain personal data so that the appropriate safeguards can be
implemented accordingly. This may be done through appropriate
forms, by informing the consignor at the outset of what their role
would be in the transport of the physical media, and by making
it declare in the appropriate form, that it is the PIC and that the
intention of the transaction is to make the company a PIP.

This opinion is based solely on the limited information you have

provided. Additional information may change the context of the
inquiry and the appreciation of facts. This opinion does not adjudicate
issues between parties nor impose any sanctions or award damages.

For your reference.

Very truly yours,

(Sgd.) IVY GRACE T. VILLASOTO

OIC-Director IV, Privacy Policy Office

7
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173, § 45.
8
Id. § 25.
9
Id.

ADVISORY OPINION NO. 202-007 47

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0081

2022 - 008
2 March 2022

Re: OBTAINING EMPLOYMENT RECORD OR CERTIFICATION

FROM THE SOCIAL SECURITY SYSTEM

Dear ,

We write in response to your inquiry received by the National

Privacy Commission (NPC or the Commission) to provide clarity on
the permissibility of obtaining service records of individuals from the
Social Security System (SSS) considering the provisions of the Data
Privacy Act of 20122 (DPA).

From your email, we understand that VeritasPay Philippines, Inc.

(VeritasPay) is a party to an ongoing labor case filed by its previous
employees with the National Labor Relations Commission (NLRC)
1st Division. VeritasPay seeks to request a copy of records or
certifications from the SSS indicating that the previous employees
are now employed with another employer.

You now seek guidance from the Commission on the following

queries:
1. Is it possible to request a copy of the record or certification from the SSS
indicating that a previous employee is currently employed with another
employer; and
2. Is the record or proof of employment classified as public record
pursuant to Executive Order No. 2, Series of 2016 or Operationalizing in
the Executive Branch the People’s Constitutional Right to Information and
the State Policies of Full Public Disclosure and
Transparency in the Public Service and Providing Guidelines Thereof (E.O.
No. 2,s. 2016 on Freedom of Information in the Executive Branch).
1
Tags: employee service record; protection of lawful rights and interest; court proceedings; legitimate interest.
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).

48 THE 2022 COMPENDIUM OF NPC ISSUANCES

We further understand that the purpose for obtaining the record or
proof of employment is for the company to properly pray in its next
pleading for the NLRC 1st Division to provide a correct computation
of monetary award and delete the period where the terminated
employees are already employed with another employer, alleging it
would be tantamount to double compensation and unjust enrichment
enshrined in the New Civil Code.

Lawful processing; protection of lawful rights and

interest in court proceedings

Any record of employment or service record may contain personal

information and sensitive personal information of the employee
concerned. The disclosure of such records must have legal basis
under the DPA and existing laws.

In the present situation where there is a pending labor case with the
NLRC, and the request for the employment records or certification
is necessary for proper litigation of VeritasPay’s defense, the
disclosure of such records may find ground under Sections 12 and
13 of the DPA, viz:
SEC. 12. Criteria for Lawful Processing of Personal Information. The
processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:
xxx

(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.
…

SEC. 13. Sensitive Personal Information and Privileged Information. – The

processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases: x x x
(f) The processing concerns such personal information as is necessary
for the protection of lawful rights and interests of natural or legal persons
in court proceedings, or the establishment, exercise or defense of legal
claims, or when provided to government or public authority.3 (emphasis
supplied)

However, while it appears there exists justification for the

disclosure of personal data, the DPA mandates that the principle of
proportionality should still be adhered to. Proportionality requires
that the processing of information shall be adequate, relevant,
suitable, necessary, and not excessive in relation to a declared and
specified purpose.4
3
Data Privacy Act of 2012, §§ 12 (f) & 13 (f).
4
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173, § 18 (c) (2016).

ADVISORY OPINION NO. 202-008 49

Given the foregoing, while there may be lawful basis for obtaining
the employment records,based on the purposes stated in your
inquiry, it appears that only specific facts of employment are
necessary for VeritasPay’s defense in the NLRC case, such as the
fact of employment, name of employer and period of employment.
These pieces of information may be given by the SSS through a
certification. It need not provide a copy of the entire record of
employment of the concerned employees.

Record or proof of employment; processing of public

record under the scope of the DPA

On the question of whether the employment record is considered as

public record under E.O. No. 2, s. 2016 on Freedom of Information
in the Executive Branch, the NPC may not be the proper agency to
determine its status as a public record since this is dependent on the
law of SSS, rules and regulations, as well as E.O. No. 2. However, even
if such records were classified as public records, the processing of
the same is still within the scope of the DPA and its related issuances.

Likewise, the Inventory of Exceptions to EO No. 2 (S. 2016)5 includes

information deemed confidential for the protection of the privacy of
persons as an exception to the general rule of disclosure in the right
of access to information. The employment records contain personal
data and the disclosure of the same must be in accordance with the
DPA and other existing laws and regulations.

This opinion is based solely on the limited information you have

provided. Additional information may change the context of the
inquiry and the appreciation of facts. This opinion does not adjudicate
issues between parties nor impose any sanctions or award damages.

For your reference.

Very truly yours,

(Sgd.) IVY GRACE T. VILLASOTO

OIC-Director IV, Privacy Policy Office

5
Office of the President, Inventory of Exceptions to Executive Order No. 2 (S. 2016), Memorandum from the
Executive Secretary (Nov. 24, 2016).

50 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0091
2022 - 009

2 March 2022

Re: PUBLICATION OF FORMER EMPLOYEES’ NAMES AND

SEVERANCE FROM EMPLOYMENT

Dear ,

We write in response to your request for an advisory opinion received

by the National Privacy Commission (NPC or the Commission)
on whether publishing former employees’ names and the fact of
severance of their employment would violate the Data Privacy Act
of 20122 (DPA).

From your letter, we understand that your company, a banking

institution, experienced isolated cases wherein the bank’s former
employees had misrepresented to existing clients (e.g., branch
clients) that they were still authorized to transact on the bank’s
behalf. Those former employees would solicit deposits from these
clients, sell bank products to extort money or do fraudulent acts
such as asking clients to transfer money to their accounts which
they would misappropriate for themselves.

We understand further that to curtail these incidents and to protect

the interest of the bank and its clients, it is suggested that there be
a publication or dissemination of a statement limited to the former
employee’s name and his/her severance from employment with
the bank through channels of general circulation like newsletters,
bank website, official social media account and or within the bank
branches or premises.
1
Tags: criteria for lawful processing; general data privacy principles; legitimate interest.
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).

ADVISORY OPINION NO. 202-009 51

You now come to the Commission for guidance on the following
inquiries:

1. Whether the publication of employee names and the fact of

severance of employment would be lawful under Section 12
(f) of the DPA; and
2. Whether it would be lawful for the bank as an alternative
measure to notify its clients privately and directly, through
bank authorized modes of communication, of the severance
of employment of such former employee.

Public disclosure of cessation of employment; Section 12

(f); legitimate interest; fraud prevention

The DPA recognizes the processing of personal and sensitive personal

information (collectively, personal data), provided the requirements
of the law are complied with and subject to the adherence of the
data privacy principles of transparency, legitimate purpose, and
proportionality.3

Under the DPA, the names of the employee and the fact that they
are no longer employed are classified as personal information, the
processing of which may be based on any of the lawful bases under
Section 12. Specifically in this instance, Section 12 (f) of the DPA
provides that the processing of personal information is allowed if
the same is necessary for the purpose of the legitimate interests
pursued by the personal information controller (PIC) or by a third
party:

SEC. 12. Criteria for Lawful Processing of Personal Information. – The

processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:
xxx

(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.

3
Data Privacy Act of 2012, § 11.
4
See: National Privacy Commission, Advisory Opinion Nos. 2022-002 (Feb. 11, 2022), 2021-10 (March 22, 2021) and
2020-50 (Nov. 26, 2020) citing Data Privacy Act of 2012, § 12 (f) and United Kingdom Information Commissioner’s
Office (ICO), What is the ‘Legitimate Interests’ basis?, available at https://ico.org.uk/for-organisations/guide-to-the-
general-data-protection-regulation-gdpr/legitimateinterests/ what-is-the-legitimate-interests-basis/.
5
See: National Privacy Commission, Advisory Opinion Nos. 2022-002 (Feb. 11, 2022) citing Article 29 Data Protection
Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive
95/46/EC, Adopted on 9 April 2014, available at https://ec.europa.eu/justice/article-29/documentation/opinion-
recommendation/files/2014/wp217 en.pdf).

52 THE 2022 COMPENDIUM OF NPC ISSUANCES

In the determination of legitimate interest, the following must be
considered:4

1. Purpose test – The existence of a legitimate interest must be

clearly established, including a determination of what the particular
processing operation seeks to achieve;
2. Necessity test – The processing of personal information must be
necessary for the purpose of the legitimate interest pursued by the
PIC or third party to whom personal information is disclosed, where
such purpose could not be reasonably fulfilled by other means; and
3. Balancing test – The fundamental rights and freedoms of data
subjects must not be overridden by the legitimate interests of the
PIC or third party, considering the likely impact of the processing on
the data subjects.

Indeed, legitimate interest as a ground for lawful processing of

personal information is a flexible concept that may be applicable
in certain instances where processing will not have unwarranted
impacts on the rights and freedoms of data subjects.5

We note as well that although the DPA does not particularly identify
matters to be considered in the PIC’s determination of its legitimate
interests, the EU General Data Protection Regulation (GDPR), the
successor of the EU Data Protection Directive (Directive 95/46/
EC) which highly influenced the DPA, provides guidance whereby
the processing of personal information strictly necessary for fraud
prevention purposes constitutes a legitimate interest.6

In this instance, the PIC must establish that the disclosure of personal
information will strictly be for the resolution of previously committed
frauds and the prevention of potential frauds. Further, the PIC must
ensure that only personal information which are necessary and
proportionate to the declared legitimate interest may be processed,
considering the rights and freedoms of the data subjects.

In any case, PICs that consider relying on this basis should undergo
a legitimate interest assessment using the tests as guidance and
document the outcome of the assessment. This gives data subjects
some guarantee that this criterion for processing will not be misused.7

General data privacy principles; proportionality

ADVISORY OPINION NO. 202-009 53

While there may be a lawful basis for the publication of personal
information such as employee names and the fact of severance
from employment with the bank (i.e., “This person is no longer
connected with the bank.”), the DPA mandates that the principle
of proportionality should still be adhered to. Hence, disclosing the
name and the fact that the employee is no longer employed with the
bank is sufficient to meet the stated purpose. Any other information
beyond that may be considered disproportional.

This principle requires that the processing of personal data shall

be adequate, relevant, suitable, necessary, and not excessive in
relation to a declared and specified purpose. These qualifiers serve
as the measures by which a determination can be made on whether
processing is proportional and justified in relation to the declared
purpose. Further, this principle requires that personal data shall only
be processed if the purpose of the processing could not reasonably
be fulfilled by other means.

Given that the bank has determined an alternative measure of

notifying its clients individually through bank authorized modes
of communication, this option should also be taken into account
in its assessment of whether public disclosure or publication is
proportional.

This opinion is based solely on the limited information you have

provided. Additional information may change the context of the
inquiry and the appreciation of facts. This opinion does not adjudicate
issues between parties nor impose any sanctions or award damages.

For your reference.

Very truly yours,

(Sgd.) IVY GRACE T. VILLASOTO

OIC-Director IV, Privacy Policy Office

54 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0101
2022 - 010

14 July 2022

Re: REQUEST FOR OPINION ON PRIVACY MATTERS

CONCERNING TRANSFER OF ASSETS/LIABILITIES

Dear ,

We respond to your request for an Adviso1y Opinion on whether

Citibank, N.A., Philippine Branch can validly transfer the personal
information of non-responsive depositors to Union Bank of the
Philippines pursuant to the Share and Business Transfer Agreement
(“SBTA”).

We understand that, Union Bank of the Philippines (the “Buyer”) and

Citibank, N.A., Philippine Branch (the “Seller”), together with other
affiliates of the Seller, entered into a Share and Business Transfer
Agreement (“SBT A”) for the proposed acquisition by the Buyer of
certain assets and liabilities of the Seller’s constlIIler business in
the Philippines as well as other assets (the “Transaction”). The
Transaction includes the Seller’s local credit card, unsecured lending,
and deposit businesses.

We understand fw-ther, that the processing, profiling, and sharing of

data and information of the Seller’s deposit customers are gove1ned
by the tenns and conditions set out in its “CONSENT ON PROCESSING,
PROFILING AND SHARING OF DATA AND INFORMATION” (the 2017
Data Privacy Terms) the pertinent portions of which, states:

PAR.(1): We agree that our application, enrollment, purchase, maintenance,

access or continued use of any of [the Seller’s] products and services
shall be deemed as our acceptance and agreement to be bound by the
provisions of these temis. We hereby agree that all Personal Data (as
defined under the Data Privacy Law of 2012 and its implementing mies
and regulations), customer data and account or transaction infonnation
1
Tags: Consent

ADVISORY OPINION NO. 202-010 55

 or records ( collectively, the “Information”) relating to us with you from
time to time may be processed, profiled or shared to, by and between
[the Seller] and any of its affiliates and subsidiaries (collectively, [the
“Seller”] or each of the Authority (foreign or domestic) or Data Recipients
(whether in or outside the Philippines) and for the purposes as set out in
[the Seller’s] Data Statement in force provided by you to us from time to
time or for compliance with any law, regulation, government requirement,
treaty, agreement or policy or as required by or for the purpose of any
court, legal process, examination, inquiry, audit or investigation of any
Authority. The aforesaid terms shall apply notwithstanding any applicable
nondisclosure agreement. We acknowledge that such Information may be
processed or profiled by or shared with jurisdictions which do not have
strict data protection or data privacy laws. (Emphasis supplied.)

Paragraphs 5 and 6 of the customer consent section of the 2017

Data Privacy Terms also states:
PAR. (5) We consent, in connection with any proposed novation,
assignment, transfer or sale of any of your rights and/or obligations with
respect to or in connection with our account and any products, facilities
and services available in connection with the account, to any novatee,
assignee, trantsferee, purchaser or any other person participating or
otherwise involved in such transaction, to the disclosure, to any such
person, by you, of any and all Information which may be required in
relation thereto.

PAR. (6) We understand and consent that the processing, profiling and
sharing apply during the prospecting and application stages, as well
as for the duration of and even after the rejection, termination, closure
or cancellation of the account or relationship or Services (collectively
“Termination”) for a period of at least ten (10) years from the Termination
of our last existing account or relationship or that of the Relevant Individual
as determined by you. Where you deem it necessary or are required
to fulfill foreign and domestic legal, regulatory, governmental, tax, law
enforcement and compliance requirements and disclosure to each of
the Authority or Industry Organization, we understand and consent that
the storage will be made even after a period of ten (10) years from such
Termination until the final conclusion of any requirement or disclosure
obligation, dispute or action. (Emphasis supplied.)

You also stated in your letter that the Seller’s deposit customers
were requested to confirmtheir consent and adherence to the 2017
Data Privacy Terms stated above, upon the application for and
availment of the Seller’s products and services. To date, 56,561 out of
the Seller’s 61,986 deposit customers have accepted and expressly
consented to the 2017 Data Privacy Terms. The remaining 5,425
deposit customers have not consented to the 2017 Data Privacy
Terms but are covered by the “Legacy T&Cs. The relevant section
of the Legacy T&Cs on sharing of customer information reads as
follows:

56 THE 2022 COMPENDIUM OF NPC ISSUANCES

 TRANSFER AND PROCESSING OF INFORMATION

As required under Republic Act 10173 and other applicable laws and
regulations, I authorize and give consent for the following: …
• For the Bank to transfer, disclose, use and process my Personal and
Account Information (including information that the Bank obtains from
third parties, such as Credit Institutions and other financial or non-financial
institutions), to, between and among its Authorized Third Parties (now
referred to the “Receiving and Disclosing Parties”), Credit Institutions, other
financial or nonfinancial institutions, or the outsourced service providers
of such entities, wherever situated, or a Government Requirement, for any
lawful purpose such as business development, data processing, analysis
and management, surveys, product and service offers, account servicing,
including rewards redemption and fulfilment, marketing activities, risk
management purposes, collections purposes and reporting, use in
employment checking (for financial institutions), and compliance with laws,
regulations and policies or anti-money laundering, sanctions and/or the
US Foreign Account Tax Compliance Act (FATCA), including withholding
for purposes of the FATCA. In addition to the above, the Bank or any of
the Receiving and Disclosing Parties may disclose any Information as may
be required by any Government Requirement, and for compliance with
any Government Requirement, or as required by or for the purposes of
any audit or investigation of any authority. “Government Requirement”
means any applicable law or regulation, legal, governmental or regulatory
authority, or agreement entered into by the Bank and any governmental
authority or between two or more governmental authorities (such law,
regulation or authority may be domestic or foreign). (Emphasis supplied.)

We understand that the Seller has undertaken an information

campaign and successfully sent notices (“first notice”) to its deposit
customers commencing on or about 25 February 2022, through
one or more of the following channels: courier, postage mail, email,
SMS, branches, interactive voice response facility, recorded phone
calls, the Seller’s online and mobile applications, and the Seller’s
website (such notices, the “Notices to Depositors”). In the Notices to
Depositors, the Seller advised its customers of the intended sale and
transfer to the Buyer, and in addition to consenting to the transfer
of their customer account to the Buyer, requested them to reaffirm
their previous express consent to the 2017 Data Privacy Terms.

You also informed us, that the Seller sent another letter (“Second
Notice”) to depositors who did not reply to the First Notice. In that
letter, these depositors were advised that in the absence of any
objection from the regulators:

ADVISORY OPINION NO. 202-010 57

 (a) the depositors’ failure to respond or expressly object to the transfer
and/or continued availment of the Seller’s products and services would be
deemed their consent to the transfer of their accounts to the Buyer and a
reaffirmation of their previous express consent to the 2017 Data Privacy
Terms, and

(b) accordingly, the Seller will transfer their accounts and personal
information to the Buyer upon the closing of the Transaction.

You further disclosed that to date, some 46,148 depositors,

representing 74.4% of the Seller’s total depositors, have given their
consent or signified their objection to the transfer of their accounts.
For those who consented, the depositors also reaffirmed their
previous express consent to transfer their personal information
under the 2017 Data Privacy Terms to the Buyer. However, the
remaining 15,838 depositors have not, to date, replied to the Notices
to Depositors (the “Non-Responsive Depositors”).

These Non-Responsive Depositors may be further segregated as

follows: Through the clarification letter you sent to us on 29 June

Classification Number of Description

Depositors

1. Non-Responsive 11,483 Of the 15,838 Non-

Depositors who have Responsive Depositors,
adhered to the 2017 11,483 have consented
Data Privacy Terms to, and are bound by, the
2017 Data Privacy Terms.
These Non- Responsive
Depositors have been
sent, on average, eleven
(11) Notices to Depositors
or reminders through one
or more of the following
channels: courier,
postage mail, email, SMS,
branches, interactive
voice response facility,
recorded phone calls,
the Seller’s online and
mobile applications, and
the Seller’s website.

58 THE 2022 COMPENDIUM OF NPC ISSUANCES

2. Non-Responsive
Depositors under “and/
or” accounts that were
originally subject to
Legacy T&Cs, but where
a co accountholder has
expressly consented:
(a) to the transfer of
the account holders’
information to the
Buyer, and (b) to be
bound by the 2017 Data
Privacy Terms
3. Non-Responsive
Depositors whose
accounts are governed
by the Legacy T&Cs.
2022, we understand that the relevant sections of the T&Cs for the
Seller’s Deposit and Cards/Loans products, as well as the 2017 Data
Privacy Terms states:
1,164 The processing, profiling
and sharing of the
personal information
of 4,355 out of the
15,838 Non-Responsive
Depositors were initially
governed by the terms
set out in the Seller’s
August 2016 General
Terms and Conditions
Governing Accounts (the
“Legacy T&Cs”). Of
these 4,355 Non-
Responsive Depositors,
1,164 depositors hold
“and/or” accounts but,
in response to the First
Notice, at least one
of the accountholders
under such accounts
have consented to the
transfer of their accounts
to the Buyer and to
update their data privacy
consent to the 2017 Data
Privacy Terms.
3,191 Of the 4,355 Non-
Responsive Depositors,
3,191 depositors continue
to be governed by
the Legacy T&Cs. Of
this number, 2,180 are
sole accountholders,
while 1,011 are co-
accountholders with a
depositor who consented
to the 2017 Data Privacy
Terms.
ADVISORY OPINION NO. 202-010 59
60 THE 2022 COMPENDIUM OF NPC ISSUANCES
You thus seek clarification on the following:

1. Whether the Seller may validly transfer to the Buyer the

personal information of the 11,483 Non-Responsive Depositors
who have adhered to the 2017 Data Privacy Terms upon the
completion of the Transaction, on the basis of their prior
express consent to the 2017 Data Privacy Terms and the
implied reaffirmation of such consent by their failure to object
and continued availment of the Seller’s products and services
notwithstanding several Notices to Depositors/reminders
sent?

2. Whether upon the completion of the Transaction, the Seller

may validly transfer to the Buyer the personal information
of the 1,164 Non-Responsive Depositors whose “and/or”
accounts were originally subject to Legacy T&Cs, but where
a coaccountholder has consented: (a) to the transfer of the
account holders’ personal information to the Buyer, and (b) to
be bound by the 2017 Data Privacy Terms. UBP believes this is
supported by the authority granted to any co-accountholder
to act on behalf of the co-account holders under Deposit
T&Cs, the express consent given by a co-accountholder to
the updating of their data privacy consent to the 2017 Data
Privacy Terms, and the provisions of paragraph 8 of the
2017 Data Privacy Terms in relation to Section 2.D of NPC
Circular No. 2020-03, which grants any co-account holder the
authority to update or reconfirm the data privacy consents of
the accountholders?

3. Whether upon the completion of the Transaction, the Seller

may validly transfer to the Buyer the personal information
of the 3,191 Non-Responsive Depositors who have given
their prior express consent (as set out in the Legacy T&Cs)
to transfer their accounts and personal information to any
other financial institution for any lawful purpose. This action is
supported by their prior express consent to the Legacy T&Cs,
the implied reaffirmation of such consent by their failure to
object and continued availment of the Seller’s products and
services notwithstanding several Notices to Depositors/
reminders, and, in the case of the 1,011 Non-Responsive

ADVISORY OPINION NO. 202-010 61

 Depositors who are co-account holders with a depositor who
consented to the 2017 Data Privacy Terms, the grounds set
out in paragraphs 18 and 19?
4. Whether the seller may transfer to the buyer the personal
information of its Non-Responsive Depositors with bounced
notifications (wherein the seller could not confirm receipt of
communications)?

5. Whether the seller may transfer to the buyer the personal

information of its depositors with closed card/loan accounts?

The Seller may validly transfer to the Buyer the

personal information of the 11,483 Non-Responsive
Depositors who have adhered to the 2017 data
privacy terms

For processing personal and sensitive personal information, this

may be done pursuant to the applicable provisions of Section 12
and 13 of the DPA, to wit:

SECTION 12. Criteria for Lawful Processing of Personal Information.

— The processing of personal information shall be permitted only
if not otherwise prohibited by law, and when at least one of the
following conditions exists: xxx xxx xxx
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to
the fulfillment of a contract with the data subject or in order to take steps
at the request of the data subject prior to entering into a contract;

SECTION 13. Sensitive Personal Information and Privileged

Information. — The processing of sensitive personal information and
privileged information shall be prohibited, except in the following
cases: xxx xxx xxx

(a) The data subject has given his or her consent, specific to the purpose
prior to the processing, or in the case of privileged information, all parties
to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and
regulations: Provided, that such regulatory enactments guarantee the
protection of the sensitive personal information and the privileged
information: Provided, further, That the consent of the data subjects are
not required by law or regulation permitting the processing of the sensitive
personal information or the privileged information; xxx xxx xxx.”

2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and, the Private Sector, Creating for this purpose a National Privacy Commission and for other Purposes [DATA
PRIVACY ACTOF 2012], Republic Act No. 10173 (2012)., §3(b).

62 THE 2022 COMPENDIUM OF NPC ISSUANCES

From the foregoing, it is worthy to note that lawful processing is not
always anchored or based on the presence of consent as there are
other criteria which may be more appropriate and may be invoked
by the personal information controller as contemplated above.

Under Section 3(b) of the DPA, consent is defined as any freely

given, specific, informed indication of will, whereby the data subject
agrees to the collection and processing of personal information
about and/or relating to him or her. Consent shall be evidenced
by written, electronic or recorded means. It may also be given on
behalf of the data subject by an agent specifically authorized by the
data subject to do so. From the definition provided above, it is clear
that consent must be evidenced by written, electronic, or recorded
means.2

The NPC would like to reiterate that implied or inferred consent is

not recognized in this jurisdiction. The entity, as personal information
controller or personal information processor must never assume the
data subject’s consent for any activity involving his or her personal
information, most especially, sensitive personal information, unless
circumstances permit the processing of personal or sensitive
personal information without consent, pursuant to the DPA and the
IRR.

In this instance, we understand that as far as the 11,483 Non-

Responsive Depositors is concerned, the basis of processing their
personal data would be based on the 2017 Data Privacy Terms of
the Seller, to which they have expressed their consent and hence
they are bound thereto. The pertinent provisions of which states:

PAR. (5) We consent, in connection with any proposed novation,

assignment, transfer or sale of any of your rights and/or obligations with
respect to or in connection with our account and any products, facilities
and services available in connection with the account, to any novatee,
assignee, transferee, purchaser or any other person participating or
otherwise involved in such transaction, to the disclosure, to any such
person, by you, of any and all Information which may be required in
relation thereto.

PAR. (6) We understand and consent that the processing, profiling and
sharing apply during the prospecting and application stages, as well
as for the duration of and even after the rejection, termination, closure
or cancellation of the account or relationship or Services (collectively
“Termination”) for a period of at least ten (10) years from the Termination

ADVISORY OPINION NO. 202-010 63

 of our last existing account or relationship or that of the Relevant Individual
as determined by you. Where you deem it necessary or are required
to fulfill foreign and domestic legal, regulatory, governmental, tax, law
enforcement and compliance requirements and disclosure to each of
the Authority or Industry Organization, we understand and consent that
the storage will be made even after a period of ten (10) years from such
Termination until the final conclusion of any requirement or disclosure
obligation, dispute or action. (Emphasis supplied.)

Consent should cover all processing activities carried out for the
same purpose or purposes. We maintain that as long as the purpose,
scope, method and extent of the processing remains to be the same
as that disclosed to the data subject when consent was given,3 the
consent given by the non-responsive depositors upon agreeing to
the 2017 Data Privacy Terms of the Seller remains to be valid.

Additionally, the processing of the personal information of the 11,483

Non-Responsive Depositors may also be based on the existing
contract that the Seller has with its depositors. We clarify that, while
there is a lawful criteria for processing based on contract in section
12 of the DPA, this does not appear in section 13. Considering,
however, that consent is an essential element of contracts, in the
past, the Commission has applied the lawful criteria of consent under
Section 13 to also include contracts as long as the contract referred
still complies with the requirements for consent under the DPA.

We note that in cases where consent is not required, a privacy notice

would be sufficient. However, we wish to emphasize that a privacy
notice is not equivalent to consent. This document is an embodiment
of the observance of the data privacy principle of transparency and
upholding the right to information of data subjects.

You mentioned that the Seller has notified the affected data subjects
of the proposed transfer of their personal information to the buyer
by sending them eleven (11) notices as of present date. Considering
the foregoing, we affirm that such notices comply with the principle
of transparency adhered to by the DPA which dictates that the
data subject must be aware of the nature, purpose, and extent of
the processing of his or her personal data, including the risks and
safeguards involved, the identity of personal information controller,
his or her rights as a data subject, and how these can be exercised.
3
NPC Advisory Opinion No. 2018-058.

64 THE 2022 COMPENDIUM OF NPC ISSUANCES

Finally, the personal information controller is not required to obtain
a separate consent from the data subject as long as the purpose,
scope, method and extent of the processing remains to be the same
as that disclosed to the data subject through the privacy notice and
the processing is still covered by the consent given or the processing
does not go beyond what the applicable law or regulation requires.
The Seller may validly transfer to the Buyer the personal
information of the 1,164 Non-Responsive Depositors whose
“and/or” accounts were originally subject to Legacy T&Cs,
but where a co-accountholder has consented

As to the 1,164 Non-Responsive Depositors whose “and/or”

accounts were originally subject to Legacy T&Cs but where a co-
accountholder has consented, we affirm that the Seller may likewise
validly transfer to the buyer their personal information, considering
that the processing of their personal information is based also on
the Seller’s 2017 Data Privacy Terms which states:
“a co-account holder is specifically authorized to reconfirm and update
their data privacy consent to the 2017 Data Privacy Terms and the
consents under such terms.”

In addition, thereto, “The “Joint Account” section of the General

Terms and Conditions Governing [the Seller’s] Philippines Account
(“Deposit T&Cs”) applicable to the Seller’s bank accounts provides
that:
“Your Joint Accounts authorize [the Seller] to accept, to pay, or to act
upon the order of any of the co-account holders or signatories indicated in
the Signature Card, upon written or oral instruments from any one of you,
and automatically vests in any of you to do whatever is desired with the
funds without the consent of the other co-account holders.”

As previously discussed, there are several criteria for processing

personal and sensitive personal information under Sections 12 and
13 of the DPA. We must emphasize that the aforementioned criteria
as discussed is applicable as well to these 1,164 Non-Responsive
Depositors whose “and/or” accounts were originally subject to
Legacy T&Cs.

Therefore, the authority granted to any co-accountholder to act on

behalf of the co-account holders under the Seller’s Deposit T&Cs, as
well as the consent given by a coaccountholder to the updating of
their data privacy consent to the 2017 Data Privacy Terms allows the
seller to process and transfer the personal information of the 1,164
Non-Responsive Depositors in this case to the buyer.

ADVISORY OPINION NO. 202-010 65

The Seller may validly transfer to the Buyer the personal
information of the 3,191 Non-Responsive Depositors
whose accounts are governed by the Legacy T&Cs

The remaining 3,191 Non-Responsive Depositors are those whose

accounts are governed by the Legacy T&Cs. As mentioned in your
letter, the Legacy T&C provide that these 3,191 depositors authorize
the Seller to transfer their personal information to other financial
institutions for any lawful purpose.

The relevant portion of the Seller’s Legacy T&C states:

As required under Republic Act 10173 and other applicable laws and
regulations, I authorize and give consent for the following: …
For the Bank to transfer, disclose, use and process my Personal and
Account Information (including information that the Bank obtains from
third parties, such as Credit Institutions and other financial or non-financial
institutions), to, between and among its Authorized Third Parties (now
referred to the “Receiving and Disclosing Parties”), Credit Institutions, other
financial or nonfinancial institutions, or the outsourced service providers
of such entities, wherever situated, or a Government Requirement, for any
lawful purpose…
xxx

In addition, there are existing provisions in the Seller’s T&C which

provide:

xxx You agree that your application, enrollment, purchase, maintenance,

access or continued use of any of Citi’s products and services shall be
deemed as your acceptance and agreement to be bound by the provisions
of these terms xxx

It is evident from the prior discussions, that the transfer of the

personal information of these Non-Responsive Depositors should
comply with any of the of the various criteria for lawful processing
under the DPA, specifically under Sections 12 or 13 of the law.
Both the Seller and the Buyer may be allowed to process personal
data based on the above provisions, and the consent of the Non-
Responsive Depositors is no longer required in the conduct of due
diligence and in the implementation of the planned transfer.

In addition, we clarify that the fact of the continuity of use by the

data subject of a personal information controller’s services does
not automatically signify one’s consent. The personal information
controller should be able to prove that such act of the data subject/s
constitutes their consent.

66 THE 2022 COMPENDIUM OF NPC ISSUANCES

We note that in this case the data subjects herein agreed to the
provisions of the T&Cs stated above. Aside from this, the Seller sent
numerous notices and reminders through one or more of the following
channels: courier, postage mail, email, SMS, branches, interactive
voice response facility, recorded phone calls, the Seller’s online and
mobile applications, and the Seller’s website. Notwithstanding such
notices and reminders, the data subjects did not respond. Hence,
the Seller sent a “Second Notice” to the data subjects wherein the
depositors were advised of the intended transfer to the Buyers
and that if they fail to object to the transfer and/or continue to
avail of the Seller’s products and services, they will be deemed to
have consented to the transfer and to have full knowledge of, and
acceded to, the transfer.

As such, the transfer of the personal information of the 3,191 Non-

Responsive Depositors, who continued availing of the Seller’s
products and services, finds basis in the T&Cs previously consented
to by these data subjects taking into consideration the efforts
exerted by the Seller to notify and remind them.

The Seller may validly transfer to the Buyer the personal

information of its Non-Responsive Depositors with
bounced notifications

In your clarificatory letter dated 29 June 2022, you stated that the
Seller has nonresponsive depositors with bounced notifications,
whom it could not confirm their receipt of the various communications
sent but who are nevertheless covered by the 2017 Data Privacy
terms and/or the Legacy terms on the disclosure of information.

In this instance, the various criteria for lawful processing under the
DPA, specifically under Sections 12 or 13 of the law as discussed
above also applies to these non-responsive depositors with bounced
notifications. We emphasize that Processing of personal information
may be based on consent, contract, legal obligation, legitimate
interest, among others. Similarly for sensitive personal information,
the processing thereof may be based on consent, law or regulation,
legal claims, among others.

Given the foregoing, we clarify that as long as the scope, method,

purpose, and extent of the processing as contained in the terms
and conditions, privacy policies, and policies on the processing of

ADVISORY OPINION NO. 202-010 67

information provided by the PIC to their data subjects at the time
the consent was given remains the same, the consent given by the
data remains to be valid as well.

Therefore, we conclude that the personal information of these data

subjects (non-responsive depositors and/or card / loan accounts
with bounced notifications) may be transferred by the Seller to the
Buyer, as the consent given by the data subjects herein applies to
this Transaction, as is clearly agreed upon by the data subjects in the
2017 Data Privacy terms and/or the Legacy terms on the disclosure
of information.

The Seller may validly transfer to the Buyer the personal

information of its data subjects with closed card/ loans
account

There are also those data subjects who have closed card/loan
accounts but who are likewise covered either by the Seller’s T&C’s
enabling the Seller to assign its rights and obligations without any
notice or the 2017 Data Privacy Terms which allows the disclosure of
information to an assignee and allows the Seller to process the data
subject’s information up to 10 years following termination or closure
of the account for various purposes, such as customer servicing,
remediating customers’ and/or regulatory claims/refunds as well as
other compliance requirements.

In this case, the previous discussions with regard to the various

criteria for lawful processing under the DPA, specifically under
Sections 12 or 13 of the law as discussed also applies to these data
subjects.

We note that in this case, the personal information of herein data

subjects may be transferred by the Seller to the Buyer given that the
data subjects have consented to the processing of their information
up to 10 years following termination or closure of the card account,
for various purposes, such as customer servicing, remediating
customers’ an/or regulatory claims/refunds and compliance to
obligation as a card issuer etc. as stated in the Seller’s 2017 Data
Privacy Terms.

In addition, the herein data subjects have also agreed to the

provisions in the Cards T&C of the Seller, which enables the Seller

68 THE 2022 COMPENDIUM OF NPC ISSUANCES

to assign its rights and/or obligations without any notice. However,
we note that despite such provision, the Seller still sent out notices
to the herein data subjects to inform them of the Transaction with
the Buyer.

Given the foregoing, the consent given by the data subjects in either
of the aforementioned terms and conditions remains to be valid in
this instant case, as the herein Transaction involves the transfer of the
Seller’s local credit card, unsecured lending, and deposit businesses
to the Buyer, which means that the purpose, scope, method and
extent of the processing of personal data, would remain to be the
same as to what the data subjects have consented to.

As a general rule, as long as the scope, method, purpose, and extent

of the processing as contained in the terms and conditions, privacy
policies, and policies on the processing of information provided by
the PIC to their data subjects at the time the consent was given
remains the same, the consent given by the data remains to be valid
as well.4

Please be advised that this Advisory Opinion was rendered based

solely on your provided information. Any extraneous fact that may
be subsequently furnished to us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

(Sgd.)
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

4
NPC Advisory Opinion No. 2018-058.

ADVISORY OPINION NO. 202-010 69

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0111

2022 - 011
19 August 2022

Re: PERSONAL DATA RETENTION AND DELETION

Dear ,

We respond to your inquiry regarding the request of a client of Flexi

Finance Asia Inc. (FFAI) to delete his personal data from its system.
We understand that FFAI is a financing company that processes
basic credit information of its clients, including their personal data
as defined in the Data Privacy Act of 2012 (DPA).3 Under the Credit
Information System Act (CISA), 4 FFAI is required to retain the data
of its clients for reporting to the Credit Information Corporation (CIC).
You also cite relevant provisions of FFAI’s Loan Contract with the
client that allows it to retain personal data, to wit:

b. Retain my personal information within the period as may

be allowed for by law from the date of the termination of
my loan contract subject to the discretion of the company.
The company may use such information for any legitimate
purpose but always in compliance with prevailing and to be
enacted laws and regulations.

c. Retain my information in the database of the company with

the latter having the right to share the same to all its affiliates
and necessary third parties for any legitimate business
purpose subject to the assurance by the company that proper
security systems are in place to protect my information.
1
Tags: data subject’s rights; right to erasure; data retention.
3
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for other purposes [Data
Privacy Act of 2012] Republic Act No. 10173 (2012).
4
An Act Establishing The Credit Information System And For Other Purposes [Credit Information System Act]
Republic Act No. 9510 (2008).

70 THE 2022 COMPENDIUM OF NPC ISSUANCES

However, the client did not substantiate his/her deletion request
with any of the circumstances mentioned in Section 16 (e) of the
DPA.

You thus seek guidance on the following:

1. Whether FFAI can compel the client to provide proof of the

circumstances provided in Section 16 (e) of the DPA;
2. The number of years that the FFAI can retain its clients’
data; and
3. If there is any violation if FFAI does not delete the client’s
data as requested.

Considering that your questions are interrelated, we shall discuss

them jointly.

Personal Data; Basic Credit Information; Data subject

rights; Right to Erasure; Limitations.

At the outset, we note that your query is silent as to the type of data
involved in the client’s request. Thus, we deem it prudent to discuss
the difference between personal information and sensitive personal
information (collectively, personal data) for proper perspective.

The DPA defines Personal Information as any information whether

recorded in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly ascertained
by the entity holding the information, or when put together with
other information would directly and certainly identify an individual.6

On the other hand, Sensitive Personal Information refers to personal

information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a
person, or to any proceeding for any offense committed or alleged to
have been committed by such person, the disposal of such proceedings,
or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes,
but not limited to, social security numbers, previous or current health
records, licenses or its denials, suspension or revocation, and tax returns;
and
(4) Specifically established by an executive order or an act of Congress to
be kept classified.7

6
Data Privacy Act, § 3 (g)
7
Id., § 3 (l)

ADVISORY OPINION NO. 202-011 71

The bases for permissible processing of the two types of personal
data differs. Section 12 of the DPA provides for the criteria for lawful
processing of Personal Information:

SEC. 12. Criteria for Lawful Processing of Personal Information. – The

processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related to

the fulfillment of
a contract with the data subject or in order to take steps at the request of
the data subject prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to

which the personal information controller is subject;

(d) The processing is necessary to protect vitally important interests of

the data subject, including life and health;

(e) The processing is necessary in order to respond to national emergency,

to comply with the requirements of public order and safety, or to fulfill
functions of public authority which necessarily includes the processing of
personal data for the fulfillment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.

On the other hand, Section 13 of the DPA enumerates the

circumstances when Sensitive Personal Information may be
processed:

SEC. 13. Sensitive Personal Information and Privileged Information. – The

processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases:

(a) The data subject has given his or her consent, specific to the purpose
prior to the processing, or in the case of privileged information, all parties
to the exchange have given their consent prior to processing;

(b) The processing of the same is provided for by existing laws and
regulations: Provided, That such regulatory enactments guarantee
the protection of the sensitive personal information and the privileged
information: Provided, further, That the consent of the data subjects are

72 THE 2022 COMPENDIUM OF NPC ISSUANCES

 not required by law or regulation permitting the processing of the sensitive
personal information or the privileged information;

(c) The processing is necessary to protect the life and health of the data
subject or another person, and the data subject is not legally or physically
able to express his or her consent prior to the processing;

(d) The processing is necessary to achieve the lawful and noncommercial

objectives of public organizations and their associations: Provided, That
such processing is only confined and related to the bona fide members
of these organizations or their associations: Provided, further, That the
sensitive personal information are not transferred to third parties: Provided,
finally, That consent of the data subject was obtained prior to processing;

(e) The processing is necessary for purposes of medical treatment, is

carried out by a medical practitioner or a medical treatment institution,
and an adequate level of protection of personal information is ensured; or

(f) The processing concerns such personal information as is necessary

for the protection of lawful rights and interests of natural or legal persons
in court proceedings, or the establishment, exercise or defense of legal
claims, or when provided to government or public authority.

In relation to Section 12 (c) and 13 (b) of the DPA, FFAI must

additionally comply with the provisions of the CISA in processing
the Sensitive Personal Information of its clients since processing
based on a legal obligation requires that all conditions imposed by
the legal obligation have been complied with as discussed in NPC
Resolution 18-010, viz:

“Processing based on a legal obligation requires that all conditions imposed

by the legal obligation have been complied with. Section 12 (c) of the DPA
requires not only that the processing is “necessary” but also that it be in
“compliance with a legal obligation”. Compliance with everything required
by the claimed legal obligation as a condition for the processing is an
essential element for any claim of valid processing under this criterion.”8

Under the CISA, entities providing credit facilities are required to

submit credit information of its borrowers and thereafter update the
same on a regular basis to the CIC.

The Implementing Rules and Regulation (IRR) of the CISA also require
submitting entities to submit current, objective, factual, and basic
credit data, both positive and negative, on all their data subjects.11
Basic Credit Data comprises the following:

ADVISORY OPINION NO. 202-011 73

 4.4. Basic Credit Data. Every participating entity shall submit
to the Corporation the following basic credit data on all data
subjects:
a) Individual
i. Personal circumstances such as name (last, first, middle),
date of birth, sex, civil status, present residence, employer
and position or business, as the case may be;
ii. Number of children depending for support;
iii. TIN, SSS or GSIS No.;
iv. Net income;
v. Residence for the last 2 years;
vi. Employer/s or business/es for the last 5 years;
vii. Owners/lessee of house occupied;
viii. Car/s owned;
ix. Bank/s where accounts are maintained, including types of
bank accounts; and
x. Other assets, real or personal.12

The IRR of the CISA also provides the data that comprises Negative
Information of data subjects. The IRR provides:

The IRR of the CISA also provides the data that comprises Negative
Information of data subjects. The IRR provides:

4.5. Negative Information

The Corporation’s credit information database shall likewise contain

negative information which shall include, among others, the following:

a) Past due;
b) Default/s on loan/s;
c) Details of the settlement of loans that defaulted;
d) Foreclosures;
e) Adverse court judgments relating to debts;
f) Report on bankruptcy or insolvency;
g) Petition or order on suspension of payments;
h) Corporate rehabilitation;
i) Other pending court cases (either as plaintiff or defendant) related
to credit transactions
or cases that will affect the financial capacity of the borrower;
j) Inclusion in a bouncing check checklist;
k) Cancelled credit cards; and
l) Such other information that may be determined by the Corporation.13
8
National Privacy Commission, NPC Resolution 18-010
11
Implementing Rules and Regulatiion of the Credit Information System Act (CISA) Republic Act No. 9510, § 4 (1)
(2009)
12
Id., § 4 (4)(a) (2009)

74 THE 2022 COMPENDIUM OF NPC ISSUANCES

In view of the foregoing, aside from Personal Information, some
of the personal data required to be submitted and/or retained
by submitting entities pursuant to the CISA qualifies as Sensitive
Personal Information. This can serve as guide on the type and the
limits of the processing that FFAI may perform on the personal data
of its clients.

Be that as it may, please note that regardless of the nature of the

personal data involved, the DPA recognizes certain rights in favor of
the data subject. Relevant to your query are the rights to suspend,
withdraw, or order the blocking, removal, or destruction of his or her
data from the personal information controller’s (PIC) filing system,
subject to specified conditions as stated in Section 16 (e) of the DPA.

The NPC provided further guidance on the matter through NPC

Advisory No. 2021 – 01 on Data Subject Rights.15 Section 10 thereof
provides:
SECTION 10. Right to Erasure or Blocking. — A data subject has the right to
request for the suspension, withdrawal, blocking, removal, or destruction
of his or her personal data from the PIC’s filing system, in both live and
back-up systems.

A. This right may be exercised upon discovery and substantial

proof of any of the following:

1. The personal data is:

a) incomplete, outdated, false, or unlawfully obtained;
b) used for an unauthorized purpose;
c) no longer necessary for the purpose/s for which they were
collected; or
d) concerns private information that is prejudicial to the data
subject, unless justified by freedom of speech, of expression,
or of the press, or otherwise authorized;

2. The data subject objects to the processing, and there are no

other applicable lawful criteria for processing;

3. The processing is unlawful; or

4. The PIC or PIP violated the rights of the data subject.

Further, the same advisory provided grounds for denying requests

for erasure or blocking by a Data Subject, viz:
2.Denial of Request. A request for erasure or blocking may be
denied, wholly or partly, when personal data is still necessary in
any of the following instances:

13
Id., § 4 (5) (2009)
15
National Privacy Commission, Data Subject Rights [NPC Advisory No. 2021 – 01] (January 29, 2021).

ADVISORY OPINION NO. 202-011 75

 a.) Fulfillment of the purpose/s for which data was obtained;

b) Compliance with a legal obligation which requires personal data

processing;

c) Establishment, exercise or defense of any legal claim;

d) Legitimate business purposes of the PIC, consistent with the
applicable industry standard for personal data retention;

e) To apprise the public on matters that have an overriding public

interest or concern, taking into consideration the following
factors:
i. Constitutionally guaranteed rights and freedoms of speech,
of
expression, or of the press;
ii. Whether or not the personal data pertains to a data subject
who is a public figure; and
iii. Other analogous considerations where personal data are
processed in circumstances where data subjects can
reasonably expect further processing.

f) As may be provided by any existing law, rules, and regulations.”

Additionally, the IRR of CISA also provides for Data Subject rights
which necessarily includes the right to dispute and erasure, viz:

4.6. Rights of Data Subjects

a) A borrower shall have the right to have ready and immediate

access to credit information pertinent to him subject to the
payment of a prescribed fee;

b) He shall have the right to dispute erroneous, incomplete or

misleading credit information;

c) He shall be entitled to a simplified dispute resolution process to

fast track the settlement/resolution of disputed credit information;

d) He shall be informed of any correction or removal of any

erroneous, incomplete or misleading information within 5 working
days from verification or conclusion of an investigation or from
deletion of the disputed information, as the case may be;

e) He shall be entitled to indemnity in case of denial, without

justification, of the aforementioned rights;

f) He shall be notified by a submitting entity of the latter’s obligation

to submit and disclose basic credit data to the Corporation; and

g) He shall have the right to know the causes of refusal of an

application for credit facilities or services from a financial institution
that uses credit data as basis or ground for such refusal.18

76 THE 2022 COMPENDIUM OF NPC ISSUANCES

Further, CIC Circular No. 2015-0119 lays down the obligations of a
submitting entity under the CISA, viz:
4.6 The Submitting Entity shall regularly submit the Basic Credit Data of
all its Borrowers contained in its data base, file or system, to the CIC not
later than on the 5th day of the month and in the form/format and manner
prescribed by the CIC.

4.7 The Submitting Entity shall ensure that the Basic Credit Data of all its
borrowers with the CIC is accurate, complete, correct, and current up to
the relevant Update
Cycle Date.

4.8 The Submitting Entity shall ensure that when receiving Error Reports
from the CIC, the Submitting Entity shall rectify errors in the relevant files
and send the corrected files to the CIC within a period of three (3) working
days. X x x”

In fine, while both the DPA and the CISA and all related issuances
recognize the right of a Data Subject to request the deletion of
his personal data, the exercise of such right is not absolute. PICs,
such as FFAI, may request the data subject to substantiate his/her
request. However, FFAI is also obliged to observe the limits imposed
by law as to the type of data and the conditions for its processing.

Data retention period; CISA requirements.

It must be emphasized that the DPA requires that personal data shall
only be retained for as long as necessary for the fulfillment of the
purposes for which the data was obtained; for the establishment,
exercise or defense of legal claims; for legitimate business purposes;
or as provided by law.20 Other conditions for the retention of data
are also provided in Sections 12 and 13 of the DPA.
The DPA further provides that personal data shall not be retained
in perpetuity in contemplation of a possible future use yet to be
determined. NPC Advisory Opinion No. 2017-24 is instructive on this
point, viz:
“From the foregoing, it is clear that the DPA and its IRR does not provide
for a specific retention period. Instead, the law sets out the general
principles and guidelines for the retention of personal data. As a general
rule, records containing personal data should be retained only for as long
as may be necessary for the purpose or purposes for which the personal
data were collected.”

18
Implementing Rules and Regulatiion of the Credit Information System Act (CISA) Republic Act No. 9510, § 4 (6)
(2009)
19
Credit Information Corporation, Enforcement of the Credit Information System Act Pursuant to Republic Act No.
9510 and its Implementing Rules and Regulations [Circular 2015-01] § 4.2 (15 May 2015)
20
Data Privacy Act of 2012, § 11 (e).

ADVISORY OPINION NO. 202-011 77

Further, Section 19(d)(1) and (2) of the IRR of the DPA provides:
“d. Personal Data shall not be retained longer than necessary.

1. Retention of personal data shall only for as long as necessary:

a) For the fulfillment of the declared, specified, and legitimate

purpose, or when the processing relevant to the purpose has been
terminated;

b) For the establishment, exercise or defense of legal claims; or

c) For legitimate business purposes, which must be consistent

with standards followed by the applicable industry or appropriate
government agency.

Retention of personal data shall be allowed in cases provided by law.”

Additionally, CISA provides a period of retention if the Basic Credit

Data refers to a negative credit information, viz:

“A. Retention Period for Negative Information in the Database

Any negative information on a borrower shall stay in the Corporation’s

database for not more than 3 years from and after the date the negative
information shall have been rectified through the following:

i. Payment or liquidation of debt; or

ii. Settlement of debt through compromise agreement or court decision

exculpating the borrower from any liability.

Negative information shall be corrected and updated within 15 days

from receipt of notice of payment, liquidation or settlement of debt in
accordance with the prescribed rules of the Corporation.”21

Thus, although PICs cannot retain personal data in perpetuity, the

continued processing thereof may be permitted if it is anchored on
Sections 12 and 13 of the DPA. And, if negative information is involved,
FFAI must also comply with the three-year limitation provided in the
CISA. Please note that the repurposing of Personal Data retained
other than for what the law prescribes may constitute as a violation
of the DPA.

DPA violation for denial of data subject rights.

21
Rules and Regulations Implementing the Credit Information Systems Act of 2008, Rule 4 (4.5) (A). (2009).

78 THE 2022 COMPENDIUM OF NPC ISSUANCES

As mentioned above, the continued processing of the Data Subjects
data and, in effect, the denial of the right to delete, may be justified
pursuant to Sections 12 and 13 of the DPA in relation to CISA.

On this note, the existence of a lawful ground for processing does

not give PICs an unbridled power to process personal data. PICs are
still required under the law to observe the data privacy principles of
legitimate purpose, transparency, and proportionality. In this regard,
we observed that your contract provisions appear to violate some
of the data privacy principles and hence cannot serve to justify the
retention of the Data Subject’s personal data.
You may want to revisit the contract provisions involved as it is
inconsistent with the principle of transparency which requires that
the data subject should be aware of the nature, purpose, and extent
of the processing of his or her personal data, including the risks and
safeguards involved, his or her rights as a data subject, and how
these can be exercised.23

Also, in accordance with the principle of proportionality, the

processing of information shall be adequate, relevant, suitable,
necessary, and not excessive in relation to a declared and specified
purpose. Personal data shall be processed only if the purpose of the
processing could not reasonably fulfilled by other means. 24

We emphasize that should FFAI deny or limit the exercise of data

subject rights, it should ensure that the data subject is clearly and
fully informed of the reasons for the denial or limitation.25

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

Sgd.
FRANKLIN ANTHONY M. TABAQUIN, IV
Director IV, Privacy Policy Office

23
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173, §18 (2016)
24
Id.
25
NPC Advisory No. 2021 – 01, § 14.

ADVISORY OPINION NO. 202-011 79

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0121

2022 - 011
19 August 2022

Re: REMEDIES AGAINST THE ALLEGED DATA BREACH

INVOLVING WORKABROAD.PH (WORKABROAD)

Dear ,

We respond to your 9 December 2021 letter requesting our Advisory

Opinion on the above matter.

We draw from your letter that the Philippine Overseas Employment

Administration (POEA) has received numerous reports of overseas
employment job seekers falling victim to the “Please Read and
Understand” online scam/illegal recruitment scheme. Under the said
scheme, the sender uses the name and license number of a licensed
recruitment agency (LRA) in text messages or e-mails informing
OFW-applicant/s that they were selected for a job abroad. The
OFW-applicant/s are then instructed to pay a fee – usually labeled
as reservation fee, orientation fee, or coaching fee – through money
transfer and remittance platforms like Western Union, Palawan
Pawnshop, and Cebuano Lhuillier Pera Padala. The scammers have
also modernized to include payment platforms such as GCash,
PayMaya and 7-ELEVEN.

For the period 16 June up to 13 September 2021, the POEA’s Anti-

Illegal Recruitment Branch (AIRB) received complaints and inquiries
from OFW-applicant/s and LRAs regarding a variation of the
scheme in which they were asked to remit PhP3,000 in exchange
for reservation of a slot for deployment to Canada. The AIRB noticed
that, from July to August 2021, the names used in the scam e-mail
ran almost alphabetically or used LRA names starting with “P”
through “S”. Of the eleven (11) victims who responded to the AIRB’s
inquiry on where they provided their contact information, eight (8)
mentioned WorkAbroad.

1
Tags: Special Cases; fulfillment of mandate; public authority; data sharing;data sharing agreement;

80 THE 2022 COMPENDIUM OF NPC ISSUANCES

In the case of Archway International and Marketing Services, Inc.
(“Archway”), they reported the use of their agency’s name in
the “Please Read and Understand” online scam for supposed
deployment to Canada and the United Kingdom. Archway denies any
involvement, and later reported that twenty-seven (27) applicants
complained about the PhP3,000 training/seminar fee they paid
through GCash. Archway also reported that ten (10) applicants
registered with WorkAbroad.

You state further that WorkAbroad is an affiliate of JobStreet, a

popular online employment website/aggregator catering to countries
in Asia. WorkAbroad’s primary market is the Philippines, particularly
OFWs, LRAs, and their partner foreign employers/principals.

WorkAbroad is reputed to be a legitimate job search website for

OFWs, LRAs, and foreign principals. Its website includes a feature
in which the applicant can upload his/her resume while additional
information may be collected and stored further in their database.
Some LRAs are also registered with WorkAbroad where they post
job openings. While the profile of aparticular LRA may include its
license number, such data will not appear when a search is made
using the POEA’s public database.

Thus, you seek an Advisory Opinion on the following matters:

1. Whether the POEA may request WorkAbroad to disclose who has

access to the applicant’s resumes and contact information?

2. Whether the POEA may share with another government agency, in

particular the DOJ, the data that it will receive from WorkAbroad after the
execution of a Data Sharing Agreement (DSA).

For proper perspective, we find it necessary to discuss the salient

features of the Data Privacy Act of 2012 (DPA) and its related rules
and issuances –

Special Cases; fulfillment of mandate; public authority;

The Implementing Rules and Regulations (IRR) of the DPA excludes

from the scope of the law certain types of processing that are
considered necessary due to its purpose, function, or the activity
involved. In particular, Section 5 (d) of the IRR provides:

2
An Act to Strengthen the regulatory functions of the Philippine Overseas Employment Administration (POEA),
Amending for this purpose Republic Act No. 8042, otherwise known as the Migrant Workers and Overseas Filipinos
Act of 1995, [R.A. No. 9422, § 1]

ADVISORY OPINION NO. 202-012 81

 d. Information necessary in order to carry out the functions of public
authority, in accordance with a constitutionally or statutorily mandated
function pertaining to law enforcement or regulatory function…subject to
restrictions provided by law…

We recognize that the POEA is legally mandated to regulate private

sector participation in the recruitment and overseas placement of
workers. It is also tasked to formulate and implement a system for
promoting and monitoring the overseas employment of Filipino
workers, taking into consideration their welfare and the domestic
manpower requirements. 2 In addition to its powers and functions,
it informs migrant workers not only of their rights as workers but
also of their rights as human beings, instruct and guide the workers
how to assert their rights, and provide the available mechanism to
redress violation of their rights.3

Premised on the foregoing, the POEA’s request to access the

applicants’ resumes and contact information from WorkAbroad may
be anchored on Section 5 (d) of the IRR of the DPA, that is, as a
fulfillment of its mandate to regulate the private sector’s participation
in the recruitment and placement of Overseas Filipino workers.

In addition, POEA’s request falls under Sections 13(b) of the DPA, to

wit:
SECTION 13. Sensitive Personal Information and Privileged Information. —
The processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases:

(b) The processing of the same is provided for by existing laws and
regulations: Provided, That such regulatory enactments guarantee
the protection of the sensitive personal information and the privileged
information: Provided, further, That the consent of the data subjects
are not required by law or regulation permitting the processing of
the sensitive personal information or the privileged information;

For processing under Section 13 (b) cited above, the government or

public authority may process information pursuant to the particular
agency’s constitutional or statutory mandate, and subject to the
requirements of the DPA. In this case, the POEA’s request for
information is in prosecution of its mandate to be able to provide
the available mechanism to redress the violation of the rights of the
migrant workers.

3
Id.
4
National Privacy Commission, Data Sharing Agreements [NPC Circular No. 2020-03], 2 (F) (December 23, 2020).
5
Id. § 2(G)

82 THE 2022 COMPENDIUM OF NPC ISSUANCES

Data Sharing; Data Sharing Agreement

Data sharing is defined under NPC Circular No. 2020-03 as the

sharing, disclosure, or transfer to a third party of personal data
under the custody of a personal information controller to one or
more other personal information controller/s.4

On the other hand, a data sharing agreement (DSA) refers to a

contract, joint issuance or any similar document which sets out the
obligations, responsibilities and liabilities of the PICs involved in the
transfer of personal data between or among them, including the
implementation of adequate standards for data privacy and security
and upholding the rights of the data subjects.5

Please note that under Section 8 of NPC Circular No. 2020-03, the
execution of a DSA is not mandatory:

SECTION 8. Data sharing agreement; key considerations. — Data sharing

may be covered by a data sharing agreement (DSA) or a similar document
containing the terms and conditions of the sharing arrangement, including
obligations to protect the personal data shared, the responsibilities of
the parties, mechanisms through which data subjects may exercise their
rights, among others. The execution of a DSA is a sound recourse and
demonstrates accountable personal data processing, as well as good faith
in complying with the requirements of the DPA, its IRR, and issuances of the
NPC. The Commission shall take this into account in case a complaint is filed
pertaining to such data sharing and/or in the course of any investigation
relating thereto, as well as in the conduct of compliance checks.

While the execution of a DSA is optional, we still advise that the

parties execute the same as a matter of best practice and for
purposes of accountability.

We recognize that the establishment of the Shared Government

Information System for Migration (SGISM) is provided under the
Migrant Workers and Overseas Filipinos Act of 1995 (R.A. No 8042),
as amended by Republic Act 10022, to wit:

SEC. 20. Establishment of a Shared Government Information

System for Migration. - An inter-agency committee composed
of the Department of Foreign Affairs and its attached agency,
3
Id.
4
National Privacy Commission, Data Sharing Agreements [NPC Circular No. 2020-03], 2 (F) (December 23, 2020).
5
Id. § 2(G)

ADVISORY OPINION NO. 202-012 83

 the Commission on Filipino Overseas, the Department of
Labor and Employment, the Philippine Overseas Employment
Administration, The Overseas Workers Welfare Administration,
The Department of Tourism, the Department of Justice, the
Bureau of Immigration, the National Bureau of Investigation,
and the National Statistics Office shall be established to
implement a shared government information system for
migration. The interagency committee shall initially make
available to itself the information contained in existing data
bases/files. The second phase shall involve linkaging of
computer facilities in order to allow free-flow data exchanges
and sharing among concerned agencies.

The inter-agency committee shall convene to identify existing

data bases which shall be declassified and shared among member
agencies. These shared data bases shall initially include, but not
limited to, the following information:

(a) Masterlists of departing/arriving Filipinos;

(b) Inventory of pending legal cases involving Filipino migrant workers and
other Filipino nationals, including those serving prison terms;
(c) Masterlists of departing/arriving Filipinos;
(d) Statistical profile on Filipino migrant workers/overseas Filipinos/
Tourists;
(e) Blacklisted foreigners/undesirable aliens;
(f) Basic data on legal systems, immigration policies, marriage laws and
civil and criminal codes in receiving countries particularly those with the
large numbers of Filipinos;
(g) List of labor and other human rights instruments where receiving
countries are signatories;
(h) A tracking system of past and present gender disaggregated cases
involving male and female migrant workers;

In the present case, the above shared government information

system for migration may be used as basis for the establishment of a
DSA with the DOJ for the data that it will receive from WorkAbroad.
Finally, we reiterate that the DPA, its IRR and other relevant issuances
of the NPC are not meant to impede the regular functions of
government agencies based on their mandates. The right to access
personal data is regulated by the DPA and other applicable laws on
the matter.

84 THE 2022 COMPENDIUM OF NPC ISSUANCES

We hope that we have sufficiently addressed your concerns. Rest
assured that the NPC is your partner in good governance.
Please be advised that this Advisory Opinion was rendered based
solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

Sgd.
FRANKLIN ANTHONY M. TABAQUIN, IV
Director IV, Privacy Policy Office

ADVISORY OPINION NO. 202-012 85

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0131

2022 - 013
31 August 2022

Re: ONLINE LENDING MOBILE APPLICATION PERSMISSIONS

Dear ,

We respond to your request for an Advisory Opinion on the

compliance of your client’s microloan mobile application with the
Data Privacy Act of 2012 (DPA).2
We understand that your client, AND Financing Corporation (AND-
FC), is a Philippine subsidiary of AND Global Pte of Singapore.
AND-FC launched LendPinoy, a mobile application that provides
microloans in the Philippines.
We note that LendPinoy will use an Artificial Intelligence (AI) credit
scoring process to determine the creditworthiness of individual
borrowers. To do this, LendPinoy intends to utilize two processes:
1) obtain access to SMS data of the would-be borrowers (data subjects);
and
2) obtain access to the bank account details of the data subjects.

You thus seek clearance from the NPC on the foregoing processing
of personal information.
.
Advisory Opinion as guidance
.
At the outset, we wish to clarify that Advisory Opinions of the
National Privacy Commission (NPC) do not serve as a “clearance”
to the processing of personal information by personal information
controllers (PICs). As stated in NPC Circular No. 18-01 (Rules of
Procedure on Requests for Advisory Opinions),3
1
Tags: lawful processing of personal information; consent; general data privacy principles; privacy impact assessment;
privacy-by-design.
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).

86 THE 2022 COMPENDIUM OF NPC ISSUANCES

the NPC’s Advisory Opinions provide guidance to the requesting
party and the general public on matters relating to the interpretation
of the provisions of the DPA its Implementing Rules and Regulations
(IRR), and NPC issuances, compliance requirements, enforcement of
data privacy laws and regulations, and other related issuances on
personal data privacy, security and protection.4
Nevertheless, we shall discuss hereunder certain matters we
observed from your request.
Application permissions; general data privacy
principles; proportionality; retention; NPC Circular
No. 20-01
We note from the Privacy Impact Assessment on the SMS application
(SMS PIA) that the following information will be processed within the
application:

Figure 1: Threshold Analysis SMS PIA

We likewise note from Section 1 of the SMS PIA on the Description
of Program, Process, or Measure involving Personal Data, that once
the data subjects accept the SMS permission, all saved SMS data in
the device will be transferred to the AND-FC server securely.

We further note that in Section 3.2 on the Compliance with

Information Privacy Principles, particularly the answers in relation
to the questions on proportionality, that AND-FC answered in the
negative to the following:

3
National Privacy Commission, Rules of Procedure on Requests for Advisory Opinions [NPC Circular No. 18-01] (10
September 2018).
4
NPC Circular No. 18-01 Section 5 (a).

ADVISORY OPINION NO. 202-013 87

 1. Is the processing of personal information adequate, relevant,
suitable, necessary, and not excessive in relation to a declared
and specific purpose; and
2. Is personal information being processed because the
purpose of the processing could not be reasonably fulfilled
by other means?

From the foregoing, there seems to be a recognition on the part

of AND-FC that the personal information to be processed is not
proportional to the purpose of the processing and that there are
other less intrusive means to determine creditworthiness of the data
subjects.

Such processing, therefore, does not conform to the data privacy

principle of proportionality which provides that the processing
of personal data shall be adequate, relevant, suitable, necessary,
and not excessive in relation to a declared and specified purpose;
and personal data shall be processed only if the purpose of the
processing could not reasonably be fulfilled by other less intrusive
means.5

To comply with the said principle, AND-FC should evaluate the

need to access and process SMS data of the data subjects as it may
be disproportionate to the purpose of granting a loan to the data
subjects.

Similarly, the harvesting of all SMS data of the data subjects appears
to violate the principle of proportionality because this would entail
the saving and transfer of the SMS data of the borrowers from the
latter’s mobile phones to the cloud servers of AND-FC and storing it
there for a certain period. This processing activity may be deemed
excessive and unrelated to the declared and specified purpose of
determining the creditworthiness of data subjects.

We note that AND-FC intends to store the SMS data in its cloud
servers not only for the purpose of credit-scoring6 but also for the
purpose of credit scoring system improvement.7 The SMS data
will also be disclosed to authorized personnel of AND-FC’s parent
company, AND Solutions PTE Ltd. to study and develop its credit
5
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173, § 18 (c) (2016).
6
See Table 3 – Information Flow – SMS Permission Privacy Impact Assessment
7
Ibid.
8
Ibid.
9
See Part 2 – Threshold Analysis, Table 2

88 THE 2022 COMPENDIUM OF NPC ISSUANCES

scoring system8. These are additional purposes for the benefit of
AND-FC that are neither essential nor necessary to the service sought
to be availed of by the data subjects. In other words, processing for
these purposes should be covered by a separate lawful basis.

We also note that the purpose of the request to access and

harvest SMS data is to determine the creditworthiness of the data
subjects and to possibly increase their credit limit. However, we also
recognize that such SMS data may contain personal information,
potentially including sensitive personal information, not only of the
data subjects but also of third parties who have no connection to
the loan agreement between AND-FC and the data subjects. As
such, the data subjects to the loan agreement with AND-FC cannot
give their consent for the third parties whose personal data may be
in the SMS.

We further note that AND-FC intends to process SMS data that

may contain any type of information9, which could include personal
information and sensitive personal information, about the data
subjects and third parties. We wish to point out that the legitimate
interest of AND-FC and the borrower cannot serve as the basis for
processing the data of third parties in this scenario since the right
to privacy of the latter must prevail over the legitimate interest of
AND-FC and the borrower.10 Consequently, the potential borrower
should not disclose the information of third parties to AND-FC.

On the other hand, we note from the Access to Online Banking

Financial Information [onetime read-only access] PIA (Online Banking
PIA), that two additional information will be processed, namely:
online banking account details and online banking statement history.

Said collection is likewise for the purpose of determining the

creditworthiness and whether to increase the credit limit of the data
subjects. We reiterate our above discussions on proportionality on
this matter.

We note from the Online Banking PIA that for the purpose of
developing and improving the credit scoring system, products and
services, information about data subjects may be anonymized.

10
Data Privacy Act of 2012, § 12 (f).
11
Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, 10 April 2014, §2.1 –
Definition in the EU legal context
12
National Privacy Commission, Guidelines on the Processing of Personal Data for Loan-Related Transactions [NPC
Circular No. 20-01] 14 September 2020

ADVISORY OPINION NO. 202-013 89

We reiterate the discussions above that the additional purposes (i.e.,
develop and improve credit-scoring systems) must have a separate
lawful basis. Otherwise, AND-FC runs the risk of violating the DPA
and the data privacy rights of the borrowers.

the data subject agrees to the collection and processing of personal

information about and/or relating to him or her. Consent shall be
evidenced by written, electronic or recorded means. It may also
be given on behalf of the data subject by an agent specifically
authorized by the data subject to do so.13

This relates to the obligation of AND-FC to inform the data subjects

of the nature, extent, and purpose of the processing being done in
relation to the declared specific purpose, their rights under the DPA,
and the security measures being implemented by to protect their
personal information. AND-FC shall also inform the data subjects
about the consequences of granting or not granting permissions.

In the case of JVA vs UPESO,14 the NPC ruled that:

“The test to determine if the personal information controller has complied

with the general privacy principle of transparency is to examine whether
an average member of the target audience could have understood
the information provided to them. This does not, however, mean that
the requirement to use clear and plain language necessitates using
layman’s terms in place of technical words at the risk of not capturing
the complex concepts they represent. Rather, this requirement means
that the information required under Sections 18(a) and 34(a)(2) of the
Implementing Rules and Regulations should be provided in as simple a
manner as possible, avoiding sentence or language structures that are
complex. The information provided should be concrete and definitive; it
should not be phrased in “abstract or ambivalent terms or leave room for
different interpretations. x x x ” (emphasis supplied)

Thus, a valid consent may only be obtained from the data subject if
the latter had been duly informed of the abovementioned information
in a manner that gives them a real choice whether to allow or deny
access to their SMS data and/or online banking details.

We suggest revisiting your consent forms to ensure that consent

is freely given by the data subjects and that they have been duly

13
Data Privacy Act of 2012, § 3 (b).
14
National Privacy Commission, JVA vs UPESO [NPC Case No. 19-498] 9 June 2020

90 THE 2022 COMPENDIUM OF NPC ISSUANCES

informed of all their rights as well as consequences in giving their
consent. In addition, we suggest having separate consent options
for the other processing activities enumerated in the PIAs that are
not essential to provide the service or product sought to be availed
of by the data subject. This would give the data subjects a choice
to participate in the use of their personal data for the purpose of
improving the credit-scoring system of AND-FC and enable them
to avoid having to sign off on the entire processing activities,
particularly those activities that are not related to the purpose of
securing a loan.

We reiterate, however that even if data subjects consent to the

processing of their personal information, their consent does not
constitute a waiver of the principle of proportionality. Thus, even
if AND-FC complies with all the requisites of consent but fails to
address the issues mentioned above, the processing may still be
considered invalid.

Privacy by design

In addition to the conduct of the PIA, it is recommended that AND-

FC incorporate privacy by design principles in the development of
the mobile loan application. Privacy by design is an approach that
ensures that privacy and data protection have been considered
during the

design phase of a system, project, program, and process and will

continue to be taken into account throughout its lifecycle and
implementation.15

We note that AND-FC acknowledged in the PIA that the processing

activities are not proportional to the purpose stated. This
notwithstanding, AND-FC did not propose measures to address
these issues and, instead, sought clearance through an Advisory
Opinion to process personal information. Incorporating privacy
by design in the development of a revised process and data flow
system may guide AND-FC in properly addressing the privacy risks
identified in the PIA.

ADVISORY OPINION NO. 202-013 91

Please be advised that this Advisory Opinion was rendered based
solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.
Please be guided accordingly.

Very truly yours,

(SGD.) FRANKLIN ANTHONY M. TABAQUIN, IV

Director IV, Privacy Policy Office

15
See generally: Cavoukian, Ann Ph.D., Privacy by Design - The 7 Foundational Principles - Implementation and
Mapping of Fair Information Practices, available at https://iapp.org/media/pdf/resource center/pbd implement 7found
principles.pdf (last accessed 21 Oct 2021).

92 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0141
2022 - 014

31 August 2022

Re: RECORDING AND UPLOADING OF ONLINE CLASSES

Dear ,

We write in response to your email received by the Presidential

Complaint Center, which was forwarded to the National Privacy
Commission (NPC) seeking clarification on whether the recording of
online classes and uploading the same to Google Classroom are a
violation of privacy law.

From your inquiry, we understand that you teach in college, and it is

your school’s policy to require the recording of online classes and
uploading the same to Google Classroom. We further understand
that for not recording and uploading your online class, you are now
facing a hearing in your school.

You now ask for the NPC’s guidance on whether the requirement of
recording online classes and uploading them is a violation of the law.

Lawful criteria for processing of online class

recordings; educational framework as the contract
between the school and the student.

Republic No. 10173 or the Data Privacy Act of 20122 (DPA) is the
law that governs the processing of all types of personal information
and provides for the rights of the data subjects. Recording of online
classes and any kind of activity pertaining to the recording, be it
uploading or storage, are considered as processing of personal
data, considering the content of the recording involves the names,
images, videos, audio or other personal data of the individuals in the
online class. Thus, any activity done in relation to the online class
must be in accordance with the provisions of the DPA.

1
Tags: online classes, recording of online classes, lawful criteria for processing
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data Privacy
Act of 2012], Republic Act No. 10173 (2012).

ADVISORY OPINION NO. 202-014 93

For the lawful criteria of processing of personal information, Section
12 of the law provides the instances when personal information may
be processed, while Section 13 enumerates the allowable grounds
of processing of sensitive personal information.3 Should any of the
grounds be present in the given scenario, there is lawful basis for
the requirement of recording and uploading of online class sessions
by the school.

In Non vs. Danes II,4 the Supreme Court clarified the relationship
between the school and the students in this wise:
But it must be repeatedly emphasized that the contract between the
school and the student is not an ordinary contract. It is imbued with
public interest, considering the high priority given by the Constitution to
education and the grant to the State of supervisory and regulatory powers
over all educational institutions [See Art. XIV, secs. 1-2, 4(1)].

The above doctrine was emphasized in Isabelo, Jr. vs. Perpetual

Help College of Rizal where the Supreme Court declared: “We have
also stressed that the contract between the school and the student,
imbued, as it is, with public interest, is not an ordinary contract.”5

Reiterating the doctrine in the Alcuaz and Non cases, the Supreme
Court characterized the school-student relationship as contractual
in nature.6

The NPC considered this characterization by the Supreme Court of

the contractual relationship between the school and the student in
its interpretation of the application of the DPA in a school setting.
The NPC refers to this contract between the school and the student
as the “educational framework,” which encompasses all activities
and operations the school may perform in line with the student’s
education. Any processing of personal information to fulfill the
obligations of parties within the educational framework is permissible,
as provided in Section 12 (b) of the DPA which states:
SEC. 12. Criteria for Lawful Processing of Personal Information. – The
processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:

xxx

3
See Data Privacy Act of 2012, §§ 12-13.
4
Non v. Dames II, 264 PHIL 98-131 (1990).
5
Isabelo, Jr. v. Perpetual Help College of Rizal, Inc., 298 PHIL 382-389 (1993).
6
Parents-Teachers Association of St. Mathew Christian Academy v. Metropolitan Bank and Trust Co., 627 PHIL 669-
690 (2010).
7
Emphasis supplied.

94 THE 2022 COMPENDIUM OF NPC ISSUANCES

 (b) The processing of personal information is necessary and is related to
the fulfillment of a contract with the data subject or in order to take steps
at the request of the data subject prior to entering into a contract;7

On the other hand, in the case of processing of sensitive personal

information within the educational framework, which includes an
individual’s information of his or her education such as grades,
performance or awards, etc., such processing is still permitted under
Section 13 (a) of the DPA, to wit:

SEC. 13. Sensitive Personal Information and Privileged Information. – The

processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases:

(a) The data subject has given his or her consent, specific to the purpose
prior to the processing, xxx.

Although the “fulfillment of a contract” requirement is not included

in the enumeration in Section 13, the NPC anchors the processing
of sensitive personal information within the school’s educational
framework upon consent based on jurisprudence defining the
contractual nature of the relationship between the school and the
student. Hence, upon enrollment, the student and the school are
deemed to have executed a contract imbued with public interest
that necessarily carries with it the consent of both parties. A different
interpretation would otherwise create an absurd situation where
schools may not process or use their student’s educational
information for his or her own education and benefit.

Processing of personal data within the educational

framework in relation to academic freedom.

At this juncture, the NPC would like to clarify that educational

institutions may process personal data to achieve the purposes
within its educational framework without the need for consent of
the data subject. The data subject in an educational setting includes
students8, faculty and staff. It is then of utmost importance that the
school delineates all processing operations, carefully identifying
those that are core to the educational framework and those outside
of it (e.g. marketing or public relations purposes).

8
In the case of minor students, their parents or guardians.
9
Note 5, supra.
10
G.R. No. 99327, May 27, 1993.
11
Isabelo Jr., 298 PHIL 382-389.

ADVISORY OPINION NO. 202-014 95

In the given facts, the NPC deems the recording of online classes,
and any use, storage or any kind of processing related thereto) as
permissible processing within the educational framework. The NPC,
through our separate discussions with the Department of Education
(DepEd) and Department of Interior and Local Government (DILG),
have been informed of the necessity for these online class recordings.

Connected to this, the Supreme Court reiterated in the Isabelo, Jr.

case,9 the doctrine in Ateneo de Manila University vs. Capulong10
that : “…this Court cited with approval the formulation made by
Justice Felix Frankfurter of the essential freedoms subsumed in
the term ‘academic freedom’ encompassing not only ‘the freedom
to determine . . . on academic grounds who may teach, what may
be taught (and) how it shall be taught’ but likewise ‘who may be
admitted to study.’”11

In the same vein, the NPC respects the same doctrine of Academic
Freedom for the processing of personal data within the educational
framework, if it is in accordance with the provisions of the DPA
and other existing laws, rules and regulations. The NPC will remain
neutral on the chosen methods and technology by the educational
institution as long as it is within the bounds of the law.

Given the foregoing, the complained requirement of recording

online classes and uploading of the same to Google Classroom is not
violative of one’s data privacy. However, we take this opportunity to
remind the school to uphold the principle of transparency and the
data subject’s right to information, such that all data subjects within
its responsibility are apprised of the school’s privacy policies.

In view of this, we take this opportunity to remind schools to create

and implement policies covering the processing of online class
recordings, including the specific purposes for and acceptable use of
such recordings. This can be made through privacy policies that are
properly disseminated to all data subjects, including school faculty
and staff, the students, and their parents or guardian, if necessary.
Having clear policies will not only protect the data privacy of students
but the teachers’ as well.

96 THE 2022 COMPENDIUM OF NPC ISSUANCES

We also advise you to check on our website Public Health Emergency
Bulletin No. 17 (Bulletin), which is an Update on the Data Privacy
Best Practices in Online Learning. In this Bulletin, recommendations
from government agencies, teachers, learners and parents were
gathered to help assess and adequately address concerns relative
to online learning. This Bulletin may be helpful and applicable
regarding the concern raised in your email. You may find our Bulletin
at this link: NPC PHE BULLETIN No. 17: Update on the Data Privacy
Best Practices in Online Learning » National Privacy Commission.

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

(Sgd.) FRANKLIN ANTHONY M. TABAQUIN IV

Director IV, Privacy Policy Office

ADVISORY OPINION NO. 202-014 97

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0151

2022 - 015
23 June 2022

Re: USE OF CAMERA DURING SURVEILLANCE VISITS

Dear ,

We respond to your request for an Advisory Opinion on the taking

of photos or videos by the Regulations Licensing and Enforcement
Division (RLED) of the Department of Health - Metro Manila Center
for Health Development (DOH-MMHCD) dming its monito1ing and
surveillance visits.

You inform that DOH Administrative Order No.2012-0012 dated 18

July 2012 authorizes the RLED to conduct on-site visits and inspection
of health facilities such as hospitals, lying-in clinics, dental clinics and
clinical laboratories. To aid the exercise of RLED’ s visitorial function,
it proposes to document its on-site visits through photos and videos
to facilitate the resolution of complaints and the imposition of the
appropriate penalties.

You thus seek clarification on the following:

1. Whether the RLED can take photos and videos dming on-site visits for
monitoring and sm-veillance pmpose, without requesting for the consent
of the authorized representatives of the health facilities or the persons
whose photo or video will be taken.

2. Whether RLED can use photos and videos for pmpose of presenting the
same in courts and administrative bodies.

3. What data plivacy laws, mles and regulations are applicable to RLED in the
taking and use of photos and videos from on-site visits.

1 Tags: lawful processing; statuto1y mandate; photographs; taking of videos.

98 THE 2022 COMPENDIUM OF NPC ISSUANCES

Processing of audio-visual recordings for monitoring and
surveillance purposes without consent allowed under the
DPA under certain instances;

Personal information refers to any information whether recorded

in a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the entity
holding the information, or when put together with other information
would directly and certainly identify an individual.2 Accordingly, the
image of an identifiable individual captured in a photograph or video
is personal information about the individual and, thus, covered by
the Data Privacy Act of 2012 (DPA).

The collection and use of audio-visual recordings may be justified

under Section 12 of the DPA, specifically where the processing is
necessary for compliance with a legal obligation,3 or to fulfill functions
of public authority which necessarily includes the processing of
personal data for the fulfillment of its mandate.4

Under Section 12 of the DPA, the processing of personal information

shall be permitted only if not otherwise prohibited by law and when
at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related
to the fulfillment of a contract with the data subject or in order to
take steps at the request of the data subject prior to entering into a
contract;
(c) The processing is necessary for compliance with a legal obligation to
which the personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of
the data subject, including life and health;
(e) The processing is necessary in order to respond to national emergency,
to comply with the requirements of public order and safety, or to fulfill
functions of public authority which necessarily includes the processing
of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject
which require protection under the Philippine Constitution. (emphasis
ours)

2 Data Privacy Act of 2012, § 20 (c)

3 Id. § 12 (c)
4 Id. § 12 (e)
5 National Privacy Commission, NPC Advisory Opinion No. 2018-053 (November 26, 2018). 6 Data Privacy Act of
2012, § 3 (l) (2)

ADVISORY OPINION NO. 202-015 99

Thus, in NPC Advisory Opinion No. 2018-053,5 we stated that the
processing of personal information, which in that case involves
photographs of hospital staff and doctors, can only be lawfully
taken and processed when at least one of the conditions set forth in
Section 12 of the DPA exists.

In addition, Section 13 of the DPA may likewise apply where a

footage or image involves sensitive personal information, such as
clinical photographs which necessarily contain the health information
of patients.6 Sensitive personal information refers to personal
information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a
person, or to any proceeding for any offense committed or alleged
to have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which
includes, but not limited to, social security numbers, previous or cm-
rent health records, licenses or its denials, suspension or revocation,
and tax returns; and
(4) Specifically established by an executive order or an act of Congress to
be kept classified.

In which case, the processing thereof is prohibited except in the

following cases:

((a) The data subject has given his or her consent, specific to the purpose
prior to the processing, or in the case of privileged information, all
parties to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and
regulations: Provided, that such regulatory enactments guarantee the
protection of the sensitive personal information and the privileged
information: Provided, further, That the consent of the data subjects
are not required by law or regulation permitting the processing of the
sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the
data subject or another person, and the data subject is not legally or
physically able to express his or her consent prior to the processing; (d)
The processing is necessary to achieve the lawful and noncommercial
objectives of public organizations and their associations: Provided,
That such processing is only confined and related to the bona fide
members of these organizations or their associations: Provided,
further, That the sensitive personal information are not transferred to
third parties: Provided, finally, That consent of the data subject was
obtained prior to processing;

7 Id. § 13 (b)

100 THE 2022 COMPENDIUM OF NPC ISSUANCES

 (e) The processing is necessary for purposes of medical
treatment, is carried out by a medical practitioner or a
medical treatment institution, and an adequate level of
protection of personal information is ensured; or
(f) The processing concerns such personal information as is
necessary for the protection of lawful rights and interests
of natural or legal persons in court proceedings, or the
establishment, exercise or defense of legal claims, or when
provided to government or public authority.

As mentioned above, Section 13 (b) recognizes processing that

is imposed by existing laws and regulations. As applied in this
instance, the processing of such images is anchored on such rules
and regulations mandating the RLED to conduct monitoring and
surveillance of health facilities regulated by the DOH. Hence, it is
permitted under the DPA to process personal data through the
taking of photos or videos during on-site visits and the consent of
the data subject/s is not required should their images be captured
in the process.

We wish to reiterate that the consent of the data subject/s is not

the only lawful criteria for processing information and that the PIC
should choose the lawful basis that most closely reflect the true
nature of the relationship with the data subject and the purpose of
the processing.

As for photos or videos of hospital premises, the DPA will not apply
if no individual or data subject is captured. This does not mean,
however, that other laws, regulations and generally accepted
hospital standards will not apply.8

Audio-visual recordings may be used as evidence by the RLED

in courts
and administrative bodies.

On the question of whether RLED can use photos and videos as

evidence in courts and administrative bodies, Section 13 (f) states
that processing of sensitive personal information is permitted if
the processing is necessary for the protection of lawful rights
and interests of natural or legal persons in court proceedings, or

8 NPC Advisory Opinion No. 2018-053.

ADVISORY OPINION NO. 202-015 101

the establishment, exercise or defense of legal claims, or when
provided to government or public authority. Although Section 13(f)
applies to sensitive personal information, the protection of lawful
rights and interests under Section 13 (f) is considered as legitimate
interest pursuant to Section 12(f) of the DPA.9 This section provides
that it is lawful to process personal information if it is necessary
for the purpose of the legitimate interests pursued by the personal
information controller or by a third party or parties to whom the
data is disclosed, except where such interests are overridden by
fundamental rights and freedoms of the data subject which require
protection under the Philippine Constitution.10

Thus, the RLED may present in evidence photos or videos it captured

during inspections as the processing of such information is pursuant
to the existence of the latter’s legitimate interest which is to resolve
complaints filed against health facilities, and consequently, the
imposition of penalties thereto.
We wish to reiterate that the law does not prohibit government
agencies from processing personal data pursuant to their respective
mandates, taking into consideration the applicable provisions of
law, rules and regulations, and the general data privacy principles
enunciated in the DPA. The DPA promotes fair, lawful, and secure
processing of such information.

Adherence to the general data privacy principles when taking

audio-visual recordings during on-site visit; data subjects’ rights;
security measures.

While there may be lawful basis for processing under the DPA, the
RLED must always adhere to the general data privacy principles of
transparency, legitimate purpose, and proportionality.
The principle of proportionality requires that processing of personal
information shall be adequate, relevant, suitable, necessary, and not
excessive in relation to the declared and specified purpose.t We
note from your letter that the RLED intends to document its on-
site visits through photos and videos to facilitate the resolution of
complaints and the imposition of the appropriate penalties. The RLED
must ensure that such photos and videos will only be processed in
relation to such purpose.

9 CID Case No.17-K-003 dated 19 November 2019 10 R.A.10173, Section 12(f); Ibid.
10 R.A.10173, Section 12(f); Ibid.
11 Data Privacy Act of 2012, § 11 (c)

102 THE 2022 COMPENDIUM OF NPC ISSUANCES

On the other hand, the principle of transparency requires that the
data subject must be aware of the nature, purpose, and extent
of the processing of his or her personal data, including the risks
and safeguards involved, the identity of the personal information
controller, his or her rights as a data subject and how these can
be exercised. During the RLED’s inspection, it must provide the
appropriate privacy notices to apprise data subjects that it will take
photos or audio-visual recordings.

A privacy notice is statement made to a data subject that describes

how an organization collects, uses, retains and discloses personal
information. A privacy notice may be referred to as a privacy
statement, a fair processing statement or, sometimes, a privacy
policy.12 In the present case, we suggest that RLED create a privacy
notice that taking of photographs or audio-visual recordings may be
done during on-site visits or inspections and must include the lawful
criteria on which the processing is based on. This privacy notice
may be presented to the health facilities before conducting the
inspection or when questions are raised on the propriety of taking
photographs or videos by the RLED. By doing so, the data privacy
principle of transparency is complied with.

Lastly, the RLED is required by the DPA to uphold the rights of

data subjects and implement reasonable and appropriate security
measures for the protection of the personal data collected against
unauthorized processing. As such, the RLED must integrate privacy
and data protection in all processing activities involved in the
conduct of its on-site visit/s, considering the nature of the personal
data that requires protection, the risks to the rights and freedoms
of the patients as data subjects, current data privacy best practices,
among others.13 We also reiterate that the audio-visual recordings,
should only be used for the intended purpose thereof. You may
refer to NPC Circular No. 2016-01 - Security of Personal Data in
Government Agencies for further details as to which appropriate
security measures are applicable to your agency.

12 IAPP, Glossary of Privacy Terms, available at https://iapp.org/resources/glossary/#paperwork-reduction-act-2

13 Data Privacy Act of 2012, § 20

ADVISORY OPINION NO. 202-015 103

Please be advised that this Advisory Opinion was rendered based
solely on your provided information. Any extraneous fact that may
be subsequently furnished to us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

(Sgd.) FRANKLIN ANTHONY M. TABAQUIN IV

Director IV, Privacy Policy Office

104 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0161
2022 - 016

5 July 2022

Re: REQUEST FOR PERSONAL INFORMATION OF OFWs

DEPLOYED IN THE MIDDLE EAST AND OTHER MUSLIM
COUNTRIES
Dear ,

We respond to your request for an Advisory Opinion on the above

matter.

You inform that the Hajj Attaché is an office attached to the National
Commission on Muslim Filipinos (“NCMF”). As the current Hajj Attaché
to the Kingdom of Saudi Arabia and the Philippine representative to
the Office of the Islamic Conference, you have witnessed the abuses
committed against Overseas Filipino Workers (“OFWs”).

To address these abuses expeditiously, you requested the Department

of Foreign Affairs, Department of Labor and Employment, Overseas
Workers Welfare Administration, and the Philippine Overseas
Employment Administration (collectively, “Subject Departments”)
for the contact details and personal information of all OFWs
working in Muslim countries you deal with. It is your position that
the NCMF is vested with the legitimate interest, the legal obligation,
and the “public task” to obtain the requested data from the Subject
Departments. However, you state that the Subject Departments are
apprehensive about sharing with your office the OFWs’ personal
data, citing possible violation of the Data Privacy Act of 20122
(“DPA”).

Consequently, you seek our opinion to support your request and

justify the release of information by the Subject Departments.

1
Tags: lawful processing; legitimate interest; data privacy principles.
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data Privacy
Act of 2012], Republic Act No. 10173 (2012).

ADVISORY OPINION NO. 202-016 105

National Commission on Muslim Filipinos; mandate.

Under Republic Act (RA) 9997,3 the NCMF is mandated to preserve

and develop the culture, tradition, institutions, and well-being
of Muslim Filipinos, in conformity with the country’s laws and in
consonance with national unity and development.

As mentioned throughout its enabling law, the NCMF’s powers and

functions specifically pertain to Muslim Filipinos. However, your
request to the Subject Departments states that what you are asking
for is the personal information of all OFWs (i.e., Muslims and non-
Muslims) in the Muslim countries within the jurisdiction of your office.
It is our understanding that not all OFWs in these countries are
Muslim Filipinos. Hence, the non-Muslim OFWs appear to be beyond
the prescribed mandate of the NCMF. As presently worded, your
request to the Subject Departments appears to encroach on their
jurisdiction since the powers and mandate of the NCMF only pertain
to Muslim Filipinos.

While the processing of the personal data of Muslim OFWs may

fall within the mandate of the NCMF, said mandate appears to
exclude the processing of the personal information of non-Muslim
OFWs. Hence, there may be a need to secure the consent of non-
Muslim OFWs prior to the collection and disclosure of their personal
information to the NCMF.

It is worth noting further that Section 15 of RA 9997 explicitly provides

for the extent of the functions of the Hajj Attaché:

Section 15. Hajj Attaché.— The President shall appoint a Hajj Attaché from
among the three (3) recommendees of the Commission within fifteen (15)
days from the submission of such recommendees by the Commission. The
Hajj Attaché shall coordinate with the Ministry of Hajj of the Kingdom of
Saudi Arabia on all matters pertaining to the conduct of the annual Hajj.
He/She shall be an academic degree holder and must be able to write and
speak fluently the Arabic language. He/She shall hold office in the Kingdom
of Saudi Arabia and shall enjoy the same rank, salary, and privileges as
those of Attachés of the national government. (Emphasis supplied).

From the foregoing, we note that the authority of the Hajj Attaché
is limited to all matters pertaining to the conduct of the annual Hajj
to the Kingdom of Saudi Arabia. Thus, there may be a need to

3
An Act Creating the National Commission on Muslim Filipinos Defining its Powers, Functions and Responsibilities and
Appropriation Funds Therefor and for other purposes [National Commission on Muslim Filipinos Act of 2009], Republic
Act No. 9997, § 4 (2009).
4
Data Privacy Act of 2012, § 4.

106 THE 2022 COMPENDIUM OF NPC ISSUANCES

also determine whether the NCMF, through the Hajj Attaché, is the
appropriate department to handle the above concerns or if it would
be more legally sound to refer the concern to other agencies (i.e.,
the Subject Departments).

Scope; Lawful basis for processing personal

information; Section 12; legal obligation; legitimate
interest.

The DPA applies to the processing of all types of personal

information and to any natural and juridical person involved in
personal information processing.4

As discussed above, if after judicious assessment it is determined

that the mandate of the NCMF and/or the Hajj Attaché may cover
the processing of personal data for the purpose of reaching out
to distressed Muslim OFWs, their families, and relatives, then the
processing of their personal data may be justified as will be discussed
below.

The collection and disclosure of personal information5 of Muslim

OFWs constitute processing.6 As applied to your present concern,
Section 12 (c) and (e) of the DPA appears to be the most appropriate
criteria for lawful processing by the NCMF, thus:

SEC. 12. Criteria for Lawful Processing of Personal Information. – The

processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:
xxx

(c) The processing is necessary for compliance with a legal obligation to

which the personal information controller is subject;

(e) The processing is necessary in order to respond to national emergency,

to comply with the requirements of public order and safety, or to fulfill
functions of public authority which necessarily includes the processing of
personal data for the fulfillment of its mandate; xxx”

(Emphasis supplied).

Thus, the NCMF must justify to the Subject Departments that its
processing falls within the ambit of the foregoing provisions.

5
Id. § 3 (g).
6
Id. § 3 (j).
7
Id. § 11.

ADVISORY OPINION NO. 202-016 107

Thereafter, the Subject Departments may disclose such personal
information to NCMF but subject to the general data privacy
principles.7

On the other hand, if sensitive personal information is involved,

NCMF’s processing thereof may be permitted under Section 13 (b)
of the DPA, viz.:

SEC. 13. Sensitive Personal Information and Privileged Information. – The

processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases: x x x

(b) The processing of the same is provided for by existing laws and
regulations: Provided, That such regulatory enactments guarantee
the protection of the sensitive personal information and the privileged
information: Provided, further, That the consent of the data subjects are
not required by law or regulation permitting the processing of the sensitive
personal information or the privileged information; x x x

You cited in your letter Section 12 (f) of the DPA on legitimate interest
as a possible basis for lawful processing of personal data:

(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.

It is a well-settled rule that the powers and functions of statutorily-

created agencies, such as the NCMF, are measured and limited by
the law creating them or granting them powers.8

Thus, while NCMF may rely on Section 12 (c), (e), and Section 13 (b)
for the processing of personal data of Muslim OFWs, it cannot rely
on legitimate interest as a criterion for the processing of the same. It
has no such legitimate interest to go beyond its mandate. Any and
all processing of personal information and sensitive personal
information should be hinged on its legal mandate.

Adherence to the general data privacy principles;

transparency; proportionality; privacy notice

8
Chavez v. National Housing Authority, 530 SCRA 235 (2007).
9
E.g., posting in their website or other appropriate platforms the NCMF or Hajj Attaché’s contact details, address,
updates, and announcements.

108 THE 2022 COMPENDIUM OF NPC ISSUANCES

Section 11 of the DPA and Section 18 of its Implementing Rules and
Regulations (“IRR”) provide that personal information controllers
(“PICs”), such as the NCMF and the Subject Departments, are required
to adhere to the general data privacy principles of transparency,
legitimate purpose, and proportionality.

The principle of transparency refers to the awareness of the data

subjects about the nature, purpose, and extent of the processing of
their personal information, including recipients of their personal data.
Hence, the Subject Departments must first inform the Muslim OFWs
that their personal information will be shared with the NCMF, as well
as the nature, purpose, and extent of the processing. If the NCMF
determines that its purpose can only be fulfilled by processing the
personal information of Muslim OFWs, it should not collect personal
information over and beyond that which is required to achieve the
declared purpose.

On the other hand, the principle of proportionality requires that the

NCMF should ascertain if its purpose cannot be fulfilled by any other
less intrusive means.9 Hence, the NCMF should specifically state
the type of personal information it needs from these agencies. The
request for the “names, contact details, email addresses & other
personal information of all Overseas Filipino Workers deployed in
the Middle East” may be too broad and excessive and, therefore,
violative of the principle of proportionality.

Finally, the principle of legitimate purpose provides that the

processing of personal information should be compatible with a
declared and specified purpose which is not contrary to law, morals,
or public policy.

Lest we be misconstrued, allow us to emphasize that we share

the very laudable objective of the Honorable Hajj Attaché to assist
distressed OFWs. However, any processing of personal information
should be in accordance with the DPA and other existing rules and
regulations.

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact
that may be subsequently furnished to us may affect our present
position. Please note further that our Advisory Opinion is not intended
to adjudicate the rights and obligations of the parties involved.

ADVISORY OPINION NO. 202-016 109

Please be guided accordingly.

Very truly yours,

(Sgd.)
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

110 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0171
2022 - 017

20 September 2022

Re: DISCLOSURE OF PERSONAL INFORMATION FOR

CYBERSECURITY INVESTIGATIONS
Dear ,

We respond to your request for an Advisory Opinion on the

application of Republic Act 10173 (or the Data Privacy Act of 2012
[DPA])2 on your client’s request for information from a certain
corporation for investigation purposes regarding a cybersecurity
incident.

We understand that your client, Corporation A, is the owner,

operator, and franchise licensor of Brand B stores in the Philippines.
Besides being a seller of consumer products, Brand B stores offer
e-services such as bills payment, top up, cash-in, and remittance for
its accredited merchant partners. One of Corporation A’s largest
merchant partner is Corporation C which is an e-Money Issuer.

You allege that on 1 December 2020, Corporation A discovered

staggering discrepancies between the cash-ins recorded in
Corporation A’s System and the actual cash received by a Brand
B store in Davao City. Corporation A created an investigation
committee which learned that during the period 9 November – 1
December 2020, 2,516 unique Corporation C accounts successfully
made cash-ins through the Corporation C application amounting to
PhP249,011,058.00, all without going through the Point of Sale
(POS) system of the Brand B Davao Store and without the latter
receiving the money from the account holders. The cashins appear
to have bypassed the Corporation A’s System and POS and, thus,
Corporation A has no record of receiving the amounts.

1
Tags: personal data; lawful processing; consent of data subjects; legal claims; Sec. 13 (f), DPA.
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data Privacy
Act of 2012], Republic Act No. 10173 (2012).

ADVISORY OPINION NO. 202-017 111

Corporation A immediately notified Corporation C of the incident
and requested the latter to block the said 2,516 accounts. Based
on Corporation A’s investigation, while the cash-ins involved 2,516
accounts, the incident appears to have been instigated by a syndicate
of approximately 10 people by creating and using the said accounts.

In the course of Corporation A’s investigations, it coordinated with

Corporation C to request for information and validation of the
2,516 accounts that made the cash-ins. In particular, Corporation A
requested for the following information (Requested Information):

1. Number of Corporation C accounts opened after November

2020;
2. Number of top-up transactions that were made through the
Corporation C
application;
3. Information regarding the accounts, including details on
date of creation, manner of
KYC, and other pertinent details;
4. Confirmation that the 2,516 accounts were legitimate
Corporation C users;
5. Confirmation that the 2,516 accounts have been prevented
from further withdrawals;
6. Confirmation that Corporation C has alerted recipient
financial and non-financial institutions of the fraudulent activity
in order for them to hold the funds;
7. Information regarding the recipient financial institutions that
the funds were transferred or withdrawn, and the number of
unique accounts in each;
8. Information regarding the withdrawals from ATM machines
using the Corporation C ATM card, specifying the date, time,
location, and ATM operator/bank;
9. Confirmation that the ATM operator has been notified of
possible fraud and instructing them to store CCTV footage
from the ATM pending further investigation;
10. Any other details that could aid Corporation A in the
investigation.

However, Corporation C responded that any information to be

released in relation to the incident was covered by the DPA. According
to Corporation C, there must be prior consent from the data subject
or a court order compelling it to disclose the information.

3
Data Privacy Act of 2012, § 3 (g).

112 THE 2022 COMPENDIUM OF NPC ISSUANCES

You thus ask whether:

a. Item nos. 1, 2, and 4 to 10 of the Requested Information are not

considered as personal data, and thus not covered by the DPA; and
b. Even assuming the above information, as well as item no. 3, are
considered personal data, that the disclosure of such Requested
Information does not require data subject consent prior to disclosure,
as claimed by Corporation C.

It is your contention that item nos. 1, 2, and 4 to 10 are not personal

data considering that the disclosure will not enable or allow the
identification of persons, individuals or data subjects and are not
within the purview of protected information under the DPA. In
addition, it is your opinion that consent of the data subject and court
order are not the only bases for disclosure of personal data.

Information excluded from the scope of the DPA.

Under the DPA, personal information refers to any information

whether recorded in a material form or not, from which the identity of
an individual is apparent or can be reasonably and directly ascertained
by the entity holding the information, or when put together with
other information would directly and certainly identify an individual.3
On the other hand, sensitive personal information is clearly defined
under Section 3 (l) of the law.4 Consequently, information that does
not identify an individual are beyond the scope of the DPA.

Nevertheless, there is a need to examine the nature of the information

involved item nos. 1, 2, and 4 to 10 to ascertain if they are indeed
excluded from the scope of the DPA.

Item no. 1 [number of Corporation C accounts opened after

November 2020] and item no. 2 [number of top-up transactions that
were made through the Corporation C application] only deal with
numbers of accounts and transactions, respectively.

Item no. 4 [confirmation that the 2,516 accounts were legitimate

Corporation C users], item no. 5 [confirmation that the 2,516
accounts have been prevented from further withdrawals], item no.
6 [confirmation that Corporation C has alerted recipient financial
and non-financial institutions of the fraudulent activity in order for

4 Id. § 3 (l).
5 See: National Privacy Commission, BGM vs. IPP, NPC 19-653 (17 December 2020), available at https://www.privacy.
gov.ph/wpcontent/uploads/2021/02/NPC-19-653-BGM-vs-IPP-Decision-FINALPseudonymized-21Dec2020.pdf(last
accessed 03 February 2022).

ADVISORY OPINION NO. 202-017 113

them to hold the funds], and item no. 9 [confirmation that the ATM
operator has been notified of possible fraud and instructing them
to store CCTV footage from the ATM pending further investigation]
merely involve verification of the action mentioned that can be
responded to by a simple “yes” or “no” answer.

Item no. 7 [information regarding the recipient financial institutions

that the funds were transferred or withdrawn, and the number of
unique accounts in each] deal with business information.

Item no. 8 [information regarding the withdrawals from ATM machines

using the Corporation C ATM card, specifying the date, time, location,
and ATM operator/bank] are information on transaction details of
withdrawals using Corporation C ATM card, specifically limited to
date, time, location and the ATM operator/bank.

The foregoing reveals that the nature of the information enumerated

above are not personal data as these do not identify a unique
individual. Thus, such items are indeed outside the scope of the DPA.

However, item no. 10 [any other details that could aid Corporation
A in the investigation] is too broad for us determine if it may include
personal data as defined by the DPA.

Consent or court order not required for

disclosure; information necessary for the
establishment, exercise or defense of legal claims

It is your contention that all of the Requested Information, including

item no. 3 [information regarding the accounts, including details on
date of creation, manner of KYC, and other pertinent details], are
not covered by the DPA. You also contend that even if items 1, 2, and
4 to 10 are considered as personal data, such information may still
be disclosed without the need for the data subject’s consent or a
court order, citing Sections 12 (f) and 13 (f) of the DPA in conjunction
with the National Privacy Commission’s (NPC) Decision in BGM vs.
IPP.5

114 THE 2022 COMPENDIUM OF NPC ISSUANCES

We find merit in your argument.
Sections 12 (f) and 13 (f) of the DPA state:
SEC. 12. Criteria for Lawful Processing of Personal Information. – The
processing of personal information shall be permitted only if not
otherwise prohibited by law, and when at least one of the following
conditions exists:
xxx

(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by
fundamental rights and freedoms of the data subject which require
protection under the Philippine Constitution.

SEC. 13. Sensitive Personal Information and Privileged Information. – The

processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases:

xxx

(f) The processing concerns such personal information as is necessary

for the protection of lawful rights and interests of natural or legal persons
in court proceedings, or the establishment, exercise or defense of legal
claims, or when provided to government or public authority. (Emphasis
supplied)

In NPC Advisory Opinion No. 2021-036,6 the NPC once again

discussed the application of the abovementioned provisions in
relation to the processing of personal data necessary for the
establishment, exercise or defense of a legal claims out of court,
and likewise reiterated its ruling in BGM vs. IPP, viz:
In the interpretation of the phrase “establishment, exercise or defense of
legal claims,” the Commission reiterated its stand in the case of BGM vs.
IPP, viz:

In the case of NPC 17-018 dated 15 July 2019, this Commission held that
“processing as necessary for the establishment of legal claims” does not
require an existing court proceeding. To require a court proceeding for the
application of Section 13(f) to this instance would not only be to disregard
the distinction provided in the law but the clear letter of the law as well.
After all, the very idea of “establishment … of legal claims” presupposes
that there is still no pending case since a case will only be filed once the
required legal claims have already been established.”
…

National Privacy Commission, Advisory Opinion No. 2021-036 (23 September 2021).
6

ADVISORY OPINION NO. 202-017 115

 activities to obtain evidence by lawful means for prospective court
proceedings. As such, the DPA does not require the establishment of
actual or ongoing court proceedings in the application of Section 13 (f).

The Commission’s pronouncement in the same case of BGM v. IPP may be

applied in the same vein:

Although Section 13(f) applies to sensitive personal information

while the information involved in this case is just personal
information, the protection of lawful rights and interests under
Section 13(f) by the Respondent is considered as legitimate interest
pursuant to Section 12(f) of the DPA.7

Similar to the factual milieu of NPC Advisory Opinion No. 2021-

036, it is apparent that Corporation A has a legal claim to the
PhP249,011,058.00 that were allegedly fraudulently withdrawn
from Brand B Davao Store. In order to aid its own investigation and
establish its case, Corporation A would have to gather necessary
information from Corporation C as the merchant partner involved in
the transactions subject of the claim.

Given the foregoing, Corporation C need not obtain consent from

its data subjects or wait for a court order to provide Corporation A
with the Requested Information, subject to other applicable laws or
regulations.

We take this opportunity to remind that while it appears there exists

justification for the disclosure of personal data, the DPA mandates
that the principle of proportionality should still be adhered to.
Proportionality requires that the processing of information shall be
adequate, relevant, suitable, necessary, and not excessive in relation
to a declared and specified purpose.8

Please be advised that this Advisory Opinion was rendered based

solely on the information you provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

116 THE 2022 COMPENDIUM OF NPC ISSUANCES

Please be guided accordingly.

Very truly yours,

(Sgd.)
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

7
Id. Citations omitted.
8
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173, § 18 (c) (2016).

ADVISORY OPINION NO. 202-017 117

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0181

2022 - 018
20 September 2022

Re: DATA SUBJECT RIGHTS IN THE PHILIPPINE

IDENTIFICATION SYSTEM
Dear ,

We respond to your email inquiry on the rights of a data subject

in relation to the Philippine Identification System (PhilSys) and the
provisions of R.A. No. 10173, also known as the Data Privacy Act of
2012 (DPA).2
We understand that the Feedback and Grievance Division (FGD) of
the PhilSys Registry Office (PRO) relayed to the Philippine Statistics
Authority (PSA) Legal Service that a certain PhilSys registered person
requested the deletion of his/her personal data. At the time of your
inquiry, the PSA Legal Service has yet to confirm if the registered
person was already issued a PhilSys Number (PSN) or PhilSys Card
Number (PCN).
As context to your inquiry, you provided two scenarios. The first
scenario is that the registered person is already registered in the
PhilSys but has not been issued a PSN or PCN. In this scenario, you
opine that the registered person has the right to withdraw consent
as it is one of the rights of a data subject, and corollary thereto, the
registered person has the right to request for the deletion of his/her
personal data. In which case, it is your position that the registered
person must execute a written request to the PRO’s Data Protection
Officer (DPO) stating the request for deletion is in the exercise of his/
her right to erasure under the DPA. In relation to deletion, you opine
that if the PRO resolves to anonymize the data then the DPO may
validly deny the request for deletion of the registrant considering
that anonymized data is not considered personal data.
2
Tags: Philippine Identification System Act, PhilSys Act, PhilSys, national ID, identification system, rights of data
subjects, right to object, right to erasure, right to deletion, lawful criteria for processing
3
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data Privacy
Act of 2012], Republic Act No. 10173 (2012).

118 THE 2022 COMPENDIUM OF NPC ISSUANCES

The second scenario is that the registered person has already been
issued a PSN or PCN. It is your opinion that since the PSN or PCN
has already been issued, the registered person’s right to erasure
has already ceased. The most that the registered person can do is
to request for the deactivation of her PSN or PCN pursuant to the
Implementing Rules and Regulations of R.A. No. 11055.

We further understand that in two separate instances, the NPC

confirmed that the processing of information under Republic Act
(RA) 110554 is not based on consent. You further mentioned that
in an online training conducted by an NPC representative, it was
clarified that if consent is not the basis of processing, then there is
nothing to withdraw.

You now ask whether a registered person is not entitled to withdraw

consent as well as erase or delete his/her personal data since the
processing is based on law and not consent, with no distinction as to
whether the registrant has already been issued PSN/PCN.

Right to object, when applicable; processing based

on law.

The DPA sets the limits of personal data processing, including the
lawful bases of processing and the rights of the data subjects.

Involved in this inquiry are two (2) data subject’s rights: 1) the right
to object; and 2) right to erasure or blocking. The “right to withdraw
consent” you mentioned, stems from the data subject’s right to
object as provided by Section 16 (e) of the DPA5 and expounded
further by Section 34 (b) of the Implementing Rules and Regulations
of the Data Privacy Act of 2012 (IRR),6 which respectively state:

SEC. 16. Rights of the Data Subject. – The data subject is

entitled to:
xxx
(e) Suspend, withdraw or order the blocking, removal or
destruction of his/her personal information from the personal
information controller’s filing system upon discovery and
substantial proof that the personal information are incomplete,
outdated, false, unlawfully obtained, used for unauthorized
purposes or are no longer necessary for the purposes for
which they were collected.
4
Philippine Identification System Act.
5
Data Privacy Act of 2012, § 3 (g).
6
Rules and Regulations Implementing the Data Privacy Act of 2012, § 34 (b) (2016).

ADVISORY OPINION NO. 202-018 119

 …

Section 34. Rights of the Data Subject. The data subject is

entitled to the following rights:

xxx

b. Right to object. The data subject shall have the right to

object to the processing of his/her personal data, including
processing for direct marketing, automated processing or
profiling. The data subject shall also be notified and given an
opportunity to withhold consent to the processing in case of
changes or any amendment to the information supplied or
declared to the data subject in the preceding paragraph.

When a data subject objects or withholds consent, the

personal information controller shall no longer process the
personal data, unless:

1. The personal data is needed pursuant to a subpoena;

2. The collection and processing are for obvious purposes,
including, when it is necessary for the performance of or in
relation to a contract or service to which the data subject is
a party, or when necessary or desirable in the context of an
employer-employee relationship between the collector and
the data subject; or
3. The information is being collected and processed as a result
of a legal obligation.7

As with any other data subject right, the right to object to the
processing of his/her personal data or to withdraw consent are not
absolute and must be exercised within the parameters stated under
the law. To see whether the right to object or withdraw consent will
apply, another aspect to consider is the lawful basis of processing of
personal data under the PhilSys.

It has been the National Privacy Commission’s (NPC) stand that RA

11055 that provides the basis for the processing of personal data
of Filipinos and resident aliens under the PhilSys. Section 9 of the
R.A. No. 11055 which provides: “… every citizen or resident alien
shall register personally…,” embodies the legal obligation of Filipino
citizens and resident aliens to register under the PhilSys thereby
7
Emphasis supplied.

120 THE 2022 COMPENDIUM OF NPC ISSUANCES

necessitating the processing of their personal data. In connection to
such requirement, Section 8 of RA 11055 lists the mandatory
demographic and biometric information to be collected from
registered persons.

Since it is the law and not consent that is the basis for processing
under the PhilSys, the right to withdraw consent by the data subject
does not apply. There is no consent to speak of since the registration
to PhilSys is a legal obligation imposed upon every citizen or resident
alien. To be clear, both the right to object and the right to withdraw
consent do not apply in any of the scenarios mentioned above.

Right to erasure or blocking under the PhilSys.

On the other hand, the right to erasure or blocking has its own
limitations as well. Section 34
(e) of the DPA’s IRR enumerates the instances when the right to
erasure may be exercised:

Section 34. Rights of the Data Subject. The data subject is

entitled to the following rights:

xxx

e. Right to Erasure or Blocking. The data subject shall have

the right to suspend, withdraw or order the blocking, removal
or destruction of his/her personal data from the personal
information controller’s filing system.

1. This right may be exercised upon discovery and substantial

proof of any of the following:

(a) The personal data is incomplete, outdated, false, or

unlawfully obtained;
(b) The personal data is being used for purpose not
authorized by the data subject;
(c) The personal data is no longer necessary for the
purposes for which they were collected;
(d) The data subject withdraws consent or objects to
the processing, and there is no other legal ground or
overriding legitimate interest for the processing;
(e) The personal data concerns private information that

ADVISORY OPINION NO. 202-018 121

 is prejudicial to data subject, unless justified by freedom
of speech, of expression, or of the press or otherwise
authorized;
(f) The processing is unlawful;
(g) The personal information controller or personal
information processor violated the rights of the data
subject.

xxx

However, R.A. 11055 and its Revised IRR do not provide for grounds
for deletion or erasure of the registered person’s PSN/PCN or their
personal data. Instead, it provides for grounds for deactivation of
the PSN, viz.:8

Section 9. Deactivation of PSN

A. The PSN shall be deactivated on the following grounds:

1. loss of Filipino citizenship;

2. loss of resident alien status;
3. failure to submit to initial biometric capture at age
five (5) for persons who were registered at age four (4)
and below;
4. failure to submit to biometric capturing at age 15 for
persons who were registered at age 14 and below;
5. death of the registered person; and
6. upon the request of the registered person.

B. After due process, the PSA may deactivate the PSN on the
following grounds:

1. presentation of false or fictitious supporting

document/s during registration or during application
for change of entries;
2. misrepresentation in any form during and after
registration in the PhilSys; and
3. fraudulent application of biometric exception.
8
See Revised Implementing Rules and Regulations of the Philippine Identification System Act, § 9.

122 THE 2022 COMPENDIUM OF NPC ISSUANCES

 xxx

We emphasize that deactivation is not equivalent to deletion

in the system. RA 11055 is silent on the provision for deletion.
Likewise, the law and its Revised IRR do not make the distinction
on instances when an individual has or has not been issued a
PSN or PCN. Thus, in the absence of express provisions in the
law allowing for deletion in the system, the right to erasure,
or to demand for absolute deletion from the PhilSys, is not
applicable to registered persons in the PhilSys.

Finally, we take this opportunity to discuss your position that

if the PRO resolves to anonymize the data, the DPO may
then validly deny the request for deletion of the registrant
considering that anonymized data is not considered personal
data. We respectfully submit that the same misapplies the
concept of anonymization.

In Advisory Opinion No. 2018-068, the Commission discussed

anonymization at length, viz:

Information is anonymous when such information ‘does not

relate to an identified or identifiable natural person or to
personal data rendered anonymous in such a manner that the
data subject is not or no longer identifiable.’

We note also that ISO/IEC 29100 defines anonymization as

a process by which personally identifiable information (PII)
is irreversibly altered in such a way that a PII principal can
no longer be identified directly or indirectly, either by the PII
controller alone or in collaboration with any other party.

Any information is considered anonymized if there is no

possible means to identify the data subject, that is, the PIC
and/or any other person are incapable of singling out an
individual in a data set, from connecting two records within a
data set (or between two separate data sets) and from any
information in such dataset.

ADVISORY OPINION NO. 202-018 123

 However, removing some identifiers, such as patient and
physician names, contact information, and location, may not
be enough to ensure that the PIC and/or any other person
can no longer identify the data subject. Anonymization
may necessitate additional measures to guarantee that the
anonymity of the information is irreversible.9

In addition, anonymization, like any other processing activity, should

be carried out with a legitimate purpose that is clear and specified. In
this case, anonymization may not utilized for the purpose of denying
the deletion request.

The NPC, as the implementing agency tasked to regulate the

processing of personal data, must harmonize the DPA’s provisions
with other laws and regulations.

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

(Sgd.)
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

9
National Privacy Commission, NPC Advisory Opinion No. 2018-068 (20 November 2018); citations omitted.

124 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0191
2022 - 019

21 September 2022

Re: USE OF BODY-WORN CAMERA BY SECURITY PERSONNEL

Dear ,

We respond to your request for an advisory opinion regarding

the use of body-worn cameras (BWCs) by the security personnel
of ON Semiconductor Philippines, Inc., ON Semiconductor SSMP
Philippines Corporation, and ON Semiconductor Cebu Philippines,
Inc. (collectively, Corporations).

We gather that the Corporations are affiliate companies located

in Cavite, Tarlac, and Cebu, engaged in various manufacturing,
processing, and sale of semiconductors. Currently, the Corporations
are exploring the possibility of requiring their security personnel
to use bodyworn cameras to record their field observations and
encounters, on top of the use of closedcircuit television systems
(CCTVs).

You thus ask whether the Corporations’ security personnel can

employ BWCs without violating the provisions of the Data Privacy
Act of 20122 (DPA).

Lawful basis for processing personal information;

Section 12;

The DPA applies to the processing of all types of personal information

and to any natural and
juridical person involved in personal information processing.3

1
Tags: body-worn cameras, lawful processing of personal information; general data privacy principles; transparency;
proportionality; privacy notice.
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for r-this Purpose a National Privacy Commission, and for other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).
3
Data Privacy Act of 2012, § 4.

ADVISORY OPINION NO. 202-019 125

Personal information is defined as any information whether recorded
in a material form or not, from which the identity of an individual
is apparent or can be reasonably and directly ascertained by the
entity holding the information, or when put together with other
information would directly and certainly identify an individual.4

Consequently, under the DPA, the images of identifiable individuals

captured in a photograph or audiovisual recordings are considered
personal information5 about the individual. Thus, the processing of
which should comply with the provisions of the DPA.6

You mentioned that the use of the BWCs will be for a legitimate
purpose, i.e., to promote the safety and protect the security of
people and the manufacturing facilities of the Corporations. The use
of BWCs is envisioned to:

1. Raise standards during confrontational incidents

2. Improve efficiency in incident escalation
3. Supplement opportunities for evidence capture
4. Reduce complaints
5. Assist with disciplinary and/or legal proceedings.

As justification, you cited Section 12 of the DPA, which provides for

the criteria for lawful processing of personal information based on
legitimate interests of the personal information controller (PIC), to
wit:

SEC. 12. Criteria for Lawful Processing of Personal Information. – The

processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:
xxx

(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.

At the outset, we acknowledge that employers have legitimate

standing to uphold its legitimate business interests, such as employee
monitoring, security of the premises, investigations or disciplinary

4
Data Privacy Act of 2012, § 3 (g).
5
Id. § 3 (g).
6
Id. § 3 (j).

126 THE 2022 COMPENDIUM OF NPC ISSUANCES

purposes, and other reasonable purposes which are not contrary
to law, morals, or public policy.

However, we emphasize that legitimate interest in the processing

activity should be linked to a specific context and that the PICs must
determine the most appropriate lawful basis for processing personal
information in relation to the specific purpose of the processing
activity.

Hence, while the processing of personal information based on

the legitimate interests of the PICs is allowed under the DPA, the
Corporations must assess if the use of BWCs within thepremises will
pass the three-part test of Legitimate Interest, namely:

1. Purpose test - The existence of a legitimate interest must

be clearly established, including a determination of what the
particular processing operation seeks to achieve.
2. Necessity test - The processing of personal information
must be necessary for the purposes of the legitimate interest
pursued by the PIC or third party to whom personal information
is disclosed, where such purpose could not be reasonably
fulfilled by other means; and
3. Balancing test - The fundamental rights and freedoms of data
subjects must not be overridden by the legitimate interests of
the PICs or third party, considering the likely impact of the
processing on the data subjects.

Adherence to the general data privacy principles;

transparency; proportionality; privacy notice

Aside from determining the most appropriate lawful basis for

processing, the Corporations must also adhere to the general
data privacy principles of transparency, legitimate purpose, and
proportionality.

Particularly, the principle of proportionality requires that processing

of personal information shall be adequate, relevant, suitable,
necessary, and not excessive in relation to the declared and specified
purpose.7

7
Data Privacy Act of 2012, § 11 (c).
8
National Privacy Commission, JVA vs UPESO [NPC Case No. 19-498] 9 June 2020

ADVISORY OPINION NO. 202-019 127

As mentioned, the Corporations have CCTVs installed in their
respective facilities. Considering all attendant circumstances, the
Corporations must first conduct an assessment that the use of
additional BWCs is truly necessary and is the least privacy intrusive
manner of processing in relation to the declared purpose.

After evaluation, if the Corporations decide to use BWCs, they

must ensure that the data subjects are informed that their security
personnel are equipped with BWCs. This may be done through an
appropriate privacy notice which you ensure will be complied with.

The privacy notice should describe the specific processes relating

to the use of BWCs. In crafting the privacy notice regarding the use
of BWCs, reference can be made to Section 16 (b) of the DPA on the
information that should be provided to the data subjects pursuant
to their right to be informed and to demonstrate the Corporations’
adherence to the data privacy principle of transparency.

Further, the Commission, in the case of JVA vs UPeso8, ruled that:

The test to determine if the personal information controller has

complied with the general privacy principle of transparency
is to examine whether an average member of the target
audience could have understood the information provided to
them. x x x

If the data subjects would not be able to understand the information

provided in the Privacy Notice, then the Corporations should translate
their Privacy Notices into the language or dialect understandable by
the data subjects in their regions of operations so the latter may be
fully informed of such processing.

The Corporations may also wish to review, among others, the

instances when their security personnel will turn on their BWCs, the
manner by which to immediately notify the data subjects on the
use of BWCs, and the mechanism for data subjects to exercise their
data privacy rights in relation to the BWC footages.

Privacy impact assessment

Finally, we recommend conducting a privacy impact assessment

(PIA) on the use of BWCs to identify potential privacy risks to the
data subjects.

128 THE 2022 COMPENDIUM OF NPC ISSUANCES

A PIA is a process undertaken and used to evaluate and manage
impacts on privacy of a particular program, project, process, measure,
system or technology product of a PIC or a personal information
processor (PIP). It considers the nature of the personal data to be
protected, the personal data flow, the risks to privacy and security
posed by the processing, current data privacy best practices, the
cost of security implementation, and, where applicable, the size of
the organization, its resources, and the complexity of its operations.9

The PIA will help identify and provide an assessment of various

privacy risks, and propose measures intended to address and
mitigate the effect of these identified risks on the datasubjects. We
trust that after the conduct of a PIA, the Corporations would best
be able to determine if the use of BWCs aligns with the basic data
privacy principles.

Please be advised that this Advisory Opinion was rendered based

solely on your provided information. Any extraneous fact that may
be subsequently furnished to us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

Sgd.
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

9
NPC Advisory No. 2017-03, Guidelines on Privacy Impact Assessment, 31 July 2017.

ADVISORY OPINION NO. 202-019 129

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0201

2022 - 020
21 September 2022

Re: CIVIL REGISTRY DOCUMENT REQUEST BY A PERSON

OTHER THAN THE OWNER
Dear ,

We respond to your request for an Advisory Opinion on the

Philippine Statistics Authority’s (PSA) denial of your request for a
copy of another person’s civil registry documents on data privacy
grounds.

You mentioned that you intend to process your deceased father’s

Government Service Insurance System (GSIS) benefits. You submitted
your deceased father’s Certificate of No Marriage (CENOMAR)
which apparently lists two (2) marriages: the first to a Ms. .
(Ms. ), and the second to your mother.

We understand that GSIS informed you that Ms. may be

disqualified from claiming your deceased father’s benefits if you can
submit Ms. ’s Death Certificate or her CENOMAR showing
a subsequent marriage. Thus, you requested the PSA for a copy of
Ms. ‘s Death Certificate but was denied citing data privacy
grounds.

You thus seek advice on your possible remedies to obtain the

requested documents from the PSA. Further, you are also asking
if you can file a complaint before the National Privacy Commission
(NPC) in relation to PSA’s denial of your request for Ms. ’s
civil registry documents.

Sensitive personal information; lawful processing;

establishment, exercise or defense of legal claims under
Section 13(f)

1
Tags: Philippine Identification System Act, PhilSys Act, PhilSys, national ID, identification system, rights of data
subjects, right to object, right to erasure, right to deletion, lawful criteria for processing

130 THE 2022 COMPENDIUM OF NPC ISSUANCES

A Death Certificate is an official document setting forth particulars
relating to a deceased individual. It contains data such as (a) date
and place of death, (b) full name, (c) age, (d) sex, e) occupation
or profession, (f) residence, (g) civil status, (h) nationality of the
deceased, and (i) probable cause of death. Some of these items are
sensitive personal information under the DPA.

The processing of sensitive personal information is generally

prohibited under the DPA. However, the DPA provides for exceptions
to this rule. Section 13 (f) of the DPA specifically recognizes processing
for the establishment, exercise, or defense of legal claims, thus:

SEC. 13. Sensitive Personal Information and Privileged

Information. – The processing of sensitive personal information
and privileged information shall be prohibited, except in the
following cases: x x x

(f) The processing concerns such personal information as

is necessary for the protection of lawful rights and interest
of natural or legal persons in court proceedings or the
establishment, exercise, or defense of legal claims, or when
provided to government or public authority.

In line with the DPA’s policy to protect the fundamental right of

every individual to privacy, the PSA issued Memorandum Circular
(MC) 2019-15 which provides for a list of people allowed to request
for civil registry documents/certifications from the PSA, to wit:

6. The court or proper public official whenever absolutely

necessary in administrative, judicial or other official or other
proceedings to determine the identity of the person. Provided
that there must be a duly issued subpoena duces tecum
and ad testificandum for the production of the civil registry
document.

7. Request from other government agencies pursuant to their

mandate provided that the requesting government agency
executed Data Sharing Agreement with PSA in accordance
with NPC Circular 16-02.

Thus, the PSA is not totally precluded from providing a copy of

the requested Death Certificate in the absence of the owner of the
personal data or a next of kin.

ADVISORY OPINION NO. 202-020 131

However, PSA’s requirement that the request should be pursuant to
a pending case and that there is a duly issued subpoena directing
the release of the personal data requested unduly restricts the lawful
basis to process under the DPA. Moreover, not all administrative
agencies have the power to issue subpoenas.

PSA’s requirement is an erroneous interpretation of Section 13(f) of

the DPA which was discussed in the case of BGM vs. IPP,2 citing NPC
17-018 dated 15 July 2019. The NPC ruled therein that “processing as
necessary for the establishment of legal claims does not require an
existing court proceeding”. Further, the very idea of “establishment
… of legal claims” presupposes that there is still no pending case
since a case will only be filed once the required legal claims have
already been established. The NPC further ruled that:

“The DPA should not be seen as curtailing the practice of law in

litigation. Considering that it is almost impossible for Congress to
determine beforehand what specific data is “necessary” or may or
may not be collected by lawyers for purposes of building a case,
applying the qualifier “necessary” to the second instance in Section
13(f) therefore, serves to limit the potentially broad concept of
“establishment of legal claims” consistent with the general principles
of legitimate purpose and proportionality”

Therefore, PSA’s interpretation that lawful processing under Section

13 (f) requires the existence of an actual case should be reviewed
and revised to properly conform to the DPA considering that it is
intended to carry out the policy “to protect the fundamental right of
every individual to privacy”.

In line with this, the NPC also stated in the BGM case that the
protection of lawful rights and interests under Section 13(f) of the
DPA is considered as legitimate interest pursuant to Section 12(f) of
the law. Thus, the following tests may be considered by the PIC in
deciding on a request pursuant to Section 13(f), viz:

1. Purpose test – The existence of a legitimate interest must

be clearly established, including a determination of what the
particular processing operation seeks to achieve;

2
National Privacy Commission, NPC 19-653 (17 December 2020)

132 THE 2022 COMPENDIUM OF NPC ISSUANCES

 2. Necessity test - The processing of personal information
must be necessary for the purpose of the legitimate interest
pursued by the PIC or third party to whom personal information
is disclosed, where such purpose could not be reasonable
fulfilled by other means; and
3. Balancing test – The fundamental rights and freedoms of
data subjects must not be overridden by the legitimate interst
of the PIC or third party, considering the likely impact of the
processing on data subjects.3

In this regard, we highlight that the appreciation of the facts and the
evaluation of conditions for the release of documents under their
control and custody fall primarily with the concerned agency as
they are in the best position to apply their mandate4

In other words, even if your request for processing is supported by

a lawful criteria, it does not equate to the PIC granting a blanket
authority for you to access personal information and/or sensitive
personal information of the data subject. Your request would still be
evaluated on a case-to-case basis and must always be subject to
the PIC’s guidelines for the release of such information.5

Data Privacy Principle of Legitimate Purpose

and Proportionality

We take this opportunity to harmonize the restrictions in the PSA’s

(MC) 2019-15 vis-a-vis the recent issuances by the NPC. The grant by
the PSA of access to personal data does not necessarily mean that
the entire form or record requested will be disclosed. An issuance
from the PSA either confirming or denying the marriage or death of
the person subject of the record requested may be sufficient and
aligned with the data privacy principle of proportionality.

On the other hand, the PSA also allows the disclosure of personal
data through a request from another government agency pursuant
to its mandate. Hence, you may want to explore the possibility of
requesting GSIS to issue a formal request addressed to PSA in the
confirmation of the death and/or status of marriage of Ms. .
3
See generally, Data Privacy Act of 2012, § 12 (f); United Kingdom Information Commissioner’s Office (ICO), What is
the ‘Legitimate Interests’ basis?, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-
the-general-dataprotection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/[last accessed
on 8 September 2022].
4
NPC Advisory Opinion 2019-037 (8 August 2019)
5
Id.

ADVISORY OPINION NO. 202-020 133

As to the filing of a complaint before the NPC, we suggest that
you exhaust first the remedies discussed above. Although PSA’s
reason for not disclosing the requested information is based on
an erroneous interpretation of Section 13(f) of the DPA, the mere
refusal to disclose information and/or relevant documents to a data
subject is not punishable under the DPA. Also, a particular agency’s
procedure for document requests must still be complied with even
if access to the personal data has legitimate basis under the DPA.

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

Sgd.
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

134 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0211
2022 - 021

14 October 2022

Re: PUBLICATION OF INFORMATION OF LIST OF

WHOLESALE ELECTRICITY SPOT MARKET (WESM)
MEMBERS AND RETAIL CUSTOMER INFORMATION
UNDER RETAIL COMPETITION AND OPEN ACCESS
(RCOA) AND GREEN ENERGY OPTION PROGRAM
(GEOP).
Dear ,
We respond to your request for an Advisory Opinion on the
Independent Electricity Market Operator of the Philippines, Inc.’s
(IEMOP) data privacy concerns regarding the publication of: 1) the
names of Wholesale Electricity Spot Market (WESM) members; and,
2) the names of registration applicants and the retail or contestable
customers registered in the Retail Competition and Open Access
(RCOA), also known as retail electricity market.

We understand that IEMOP made this inquiry as the Market Operator

of WESM and the Central Registration Body (CRB) of the RCOA and
Green Energy Option Program (GEOP). IEMOP cites our Advisory
Opinion No. 2020-052,2 which dealt with the Energy Regulatory
Commission’s (ERC) publication of contestable customers. IEMOP’s
position is that it is similarly situated to the ERC since it is also
obligated by law and regulation to publish the names of WESM
participants and the RCOA contestable customers. Incidentally, the
RCOA contestable customers are the same contestable customers
subject of the said Advisory Opinion.
1
Tags: lawful criteria for processing; natural person; juridical person; legal obligation; publication of names.
2
National Privacy Commission, NPC Advisory Opinion No. 2020-052 (20 November 2020).

ADVISORY OPINION NO. 202-021 135

We further understand that in accordance with several Department
of Energy (DOE) issuances, the following are published by IEMOP
on its website:

Information Information
Owner
WESM Participants 1. Participant name (Name of
corporation, partnership or
individual)
2. Short name (short name designated
by IEMOP for the participant)
3. Region (Luzon, Visayas or Mindanao)
4. Category (Generator, Private
Distribution Utility, Electric
Cooperative, Bulk User/Directly
Connected Customer, Ancillary
Service Provider, Wholesale
Metering Service Provider)
5. Membership (Direct Member or
Indirect Member)
6. Resource (facility name; name of
power plant, if a generator)
7. Effectivity date of registration (date
in which membership has become
effective)
8. Registration Status (Registered,
Deregistered or Ceased

Contestable 1. Participant name (Name of

Customers corporation, partnership or
individual)
(RCOA/CREM) 2. Short name (short name designated
by IEMOP for the participant)
3. Region (Luzon, Visayas or Mindanao)
4. Category (Contestable Customer,
Retail Electricity Supplier, Local
Retail Electricity Supplier, Supplier
of Last Resort, Retail Metering
Service Provider)
5. Membership (Direct Member or
Indirect Member; Registered with
CRB only)
6. Effectivity date of registration (date
in which membership has become
effective)
7. Registration Status (Registered,
Deregistered or Ceased)

136 THE 2022 COMPENDIUM OF NPC ISSUANCES

WESM Applicants 1. Applicant name (Name of corporation,
partnership or individual)
2. Short name (short name designated
by IEMOP for the applicant)
3. Region (Luzon, Visayas or Mindanao)
4. Category applied for (Generator,
Private Distribution Utility, Electric
Cooperative, Bulk User/Directly
Connected Customer, Ancillary
Service Provider, Wholesale
Metering Service Provider)
5. Membership type applied for (Direct
Member or Indirect Member)
6. Resource (facility name; name of
power plant, if a generator)
7. Application Type (New registration
or additional facility)
8. Status (For completion)

Furthermore, we understand that WESM members and applicants

may be juridical entities or individual persons. Currently, however, the
registered members are all juridical entities. In addition, contestable
customers may likewise be juridical entities or individuals who are
operating as sole proprietorships.

Thus, you seek guidance on the following:

1) Whether IEMOP may publish the names of WESM members

and names of applicants for WESM registration by virtue of the
WESM Rules promulgated by the DOE pursuant to Republic Act
No. 9136, otherwise known as the Electric Power Industry Reform
Act (EPIRA); and

2) Whether IEMOP may publish the names of retail or contestable

customers that are registered to participate in the Retail
Competition and Open Access (RCOA) or the retail electricity
market on the basis of The Retail Market Manual on Disclosure
and Confidentiality of Retail Customer Information (Retail Manual
- DCRCI) likewise promulgated by the DOE.

Lawful criteria for processing; compliance with a

legal obligation

ADVISORY OPINION NO. 202-021 137

Section 3 of the EPIRA defines the responsibilities of the various
government agencies and private entities in relation to the electric
power industry. The WESM and the RCOA are part of the electric
market industry framework.

Pursuant to DOE Department Circular No. DC2018-01-0002,3 IEMOP

was established to be the independent market operator of the
WESM. Thus, it is evident that IEMOP is obligated to comply with the
EPIRA and is regulated by the DOE through applicable issuances.

Under the WESM Rules promulgated by the DOE, IEMOP is required

to publish the following:

a) A list of registered WESM members, including the names and

categories in which they are registered; and
b) A list of applicants for WESM registration, including the name of
the applicant and the status of its application.4

On the other hand, the Retail Manual on Disclosure and Confidentiality

of Retail Customer Information (Retail Manual – DCRCI)5 designates
the IEMOP to be the Central Registration Body that is required to
publish “Retail Customer Information” of contestable customers,
including their names and short names.6

The abovementioned information published by IEOMP is based on

the non­confidential information enumerated in Clause 5.4 of the
Retail Manual – DCRCI, which are:

1. Service address of the registered facility

2. Contact details
3. Supply details
a. incumbent supplier
b. past supplier/s
c. duration of supply contract
d. names of counterparties
4. Details contained in the ERC’s Certificates of Contestability, as
applicable.

3
Department of Energy, Department Circular No. DC-2018-01-002, “Adopting Policies for the Effective and Efficient
Transition to the Independent Market Operator for the Wholesale Electricity Spot Market” (17 January 2018).
4
Wholesale Electricity Spot Market Rules (WSEM Rule), available at
https://www.wesm.ph/downloads/download/TWFya2V0IFJlcG9ydHM=/MTkyMg== (last accessed 10 June 2022).
5
Promulgated by the DOE through Department Circular Nos. DC2013-07-0014, DC2021-06-005, and DC2021-06-0012.
6
Ibid.

138 THE 2022 COMPENDIUM OF NPC ISSUANCES

The Data Privacy Act of 20127 (DPA) governs the processing of
personal data. Under the DPA, the processing of personal data shall
only be allowed under certain conditions provided in Sections 12 and
13 depending on whether the information involved is classified as
personal information or sensitive personal information.

In this regard, we reiterate the discussion in Advisory Opinion No.

2020-052 where we stated that information on juridical entities
is outside the scope of the DPA. Thus, the publication of WESM
members or applicants for registration and contestable customers in
the RCOA that are juridical entities may be done in accordance with
applicable laws, rules, and regulations without violating the DPA.

We also discussed in Advisory Opinion No. 2020-052 that the

publication of personal information of an individual or a sole
proprietorship who may qualify as a WESM member or as a
contestable customer is allowed subject to Section 12 of the DPA,
thus:

In the event where the contestable customer is an individual

or a sole proprietorship whose name and generic location
would be subject to publication, Section 12 of the DPA states
that that the processing of personal information shall be
permitted if necessary for compliance with a legal obligation
to which the personal information controller is subject or when
necessary in order to fulfill functions of public authority which
necessarily includes the processing of personal data for the
fulfillment of its mandate.

In this instance, the ERC may cite the pertinent provisions of

the Electric Power Industry Reform Act of 2001 (EPIRA) and/or
other applicable laws and regulations to justify the publication
of names and generic locations of individuals identified as
qualified contestable customers as a legal obligation of the
ERC and/or part of the fulfillment of its mandate.

Under the DPA, the processing of personal data is allowed when it

is necessary for compliance with a legal obligation. In RLA v. PLDT
7
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).

ADVISORY OPINION NO. 202-021 139

Enterprise,8 the National Privacy Commission (NPC) discussed the
elements that should exist for valid processing based on a legal
obligation : “(1) if the legal obligation the PIC cites as lawful criteria
exists and applies to the PIC; (2) if the processing that the PIC
performs is necessary to comply with the legal obligation; and (3) if
all the conditions imposed by the legal obligation for the processing
of the personal information have been complied with.”8

A survey of the relevant DOE regulations cited clearly show that the
IEMOP has a legal obligation to publish the information provided
above. As such, as long as the elements mentioned above are
complied with, -IEMOP can publish the names of WESM members
and the names of applicants for WESM registration, by virtue of the
WESM Rules. Similarly, the names of retail or contestable customers
that are registered to participate in the RCOA may also be published
on the basis of the Retail Manual – DCRCI.

Nevertheless, IEMOP, as a PIC, is still mandated to adhere to the

general data privacy principles of transparency, legitimate purpose,
and proportionality. It also has the obligation to impl0919ement
reasonable and appropriate organizational, physical, and technical
security measures for protection of personal data, and ensure that
it processes information in a manner that upholds the data privacy
rights of its data subjects.

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

(Sgd.)
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

8
National Privacy Commission, RLA v. PLDT Enterprise [NPC Resolution No. 2018-010] (10 December 2021).

140 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0221
2022 - 022

19 October 2022

Re: DISCLOSURE OF COVID-19 SWAB TEST RESULTS IN

GROUP CHAT
Dear ,
We respond to your request for clarification on the data privacy
implication of a proposed internal practice of disclosing COVID-19
test results in your office’s group chat.
We understand that the Davao Center for Health Development
(DCHD) wishes to enhance its contact tracing of COVID-19 positive
cases within its office. The intended purpose is to improve infection
control and minimize the spread of positive cases to ensure
unhampered operations.
You further inform that in a survey conducted among DCHD’s
employees, a majority voted to have the complete list of COVID-19
positive employees posted in the group chat composed of 250
members, while a minority opposed the measure. The purpose of
posting in the group chat is to let everyone be aware if they are
possible close contacts and, thus, enable them to take the necessary
precautions to avoid infection.
Thus, you seek guidance on the following:
1. Due to the majority voting in favor of the posting COVID-19
swab test results in the group chat, is DCHD allowed to post the
complete list in the group chat despite a minority signifying to
the contrary?
2. Is written consent still necessary for those who agreed to have
their names posted in the group chat once they have positive
results?

1
Tags: COVID-19, swab test results, contact tracing, sensitive personal information, disclosure.

ADVISORY OPINION NO. 202-022 141

Lawful criteria for processing of COVID-19 test
results, provided by law and regulation; limitations
on disclosure

Under the Data Privacy Act of 2012 (DPA)2 the processing of

personal data shall only be allowed under certain conditions
provided in Sections 12 and 13 depending on whether the information
involved is classified as personal information or sensitive personal
information. In addition, the Section 18 (b) of the Implementing Rules
and Regulations (IRR) of the DPA also requires that the processing
of personal data shall be allowed subject to adherence to the
principles of transparency, legitimate purpose, and proportionality.
Transparency requires that the data subjects are informed of the
details of the processing of their personal data, such as the nature,
purpose and extent of processing as well as their rights as data
subjects. The principle of legitimate purpose, on the other hand,
states that the processing of personal information shall be compatible
with a declared and specified purpose which must not be contrary
to law, morals, or public policy. Finally, proportionality calls for the
processing of personal information shall be adequate, relevant,
suitable, necessary, and not excessive in relation to a declared and
specified purpose.

In the case of COVID-19 contact tracing, we stated in Advisory-

Opinion-No.-2020-0223 that the processing of any personal data,
including the test results, is based on law and regulation, viz.:

Accordingly, contact tracing would inevitably involve the processing of

personal and sensitive personal information (collectively, personal data)
of COVID-19 suspected, probable, and confirmed cases by the DOH and
other government agencies engaged in the COVID-19 response.

Such processing for contact tracing is expected to be in accordance with

existing laws and regulations on the matter, i.e., Republic Act No. 11332
or the Mandatory Reporting of Notifiable Diseases and Health Events of
Public Health Concern Act, the DPA, as well as applicable issuances of the
DOH and the NPC.

The DOH Updated Guidelines on Contact Tracing provides for the

specific guidelines for the identification of contacts of suspect cases,
case investigation and contact tracing for probable and confirmed cases,
contact tracing in areas with community transmission, among others.
These guidelines also provide for the use of standard forms, i.e., Case
Investigation Form, Travel History Form, Close Contact Line List Form,
Profile of the COVID-19 Close Contacts, etc.

142 THE 2022 COMPENDIUM OF NPC ISSUANCES

 All these measures ensure that only the necessary personal data are
collected in a standard and appropriate manner and disclosed only to the
proper authorities.

In the same Advisory Opinion, we further stated that the disclosure

of personal data related to COVID-19 shall be made pursuant to
Annex A of the DOH Updated Guidelines on Contact Tracing, thus:

6. Disclosure of Patient Identifiers or Patient Data shall be limited to

authorized entities, officers, personnel and concerned individuals only.
The said disclosure is allowed if the same will serve a public purpose or
function during the COVID-19 pandemic.

Disclosure to the public, the media, or any other public-facing platforms

without the written consent of the patient or his/her authorized
representative or next of kin, shall be strictly prohibited.
The above policy is further reinforced in the DOH-NPC Joint Memorandum
Circular on the Privacy Guidelines on the Processing and Disclosure of
COVID-19 Related Data for Disease Surveillance and Response, which
contains a similar provision under Section VI (D) (2) thereof on the Specific
Guidelines on Use and Disclosure of Health Information.

We also stated in NPC Circular No. 2021-02 that the disclosure of

personal data in cases of contact tracing “shall be limited to public
health authorities, such as the DOH and its authorized partner
agencies, LGUs, or other lawfully authorized entities, officers, or
personnel, and must only be for the purpose of responding to the
public health emergency.”4

Thus, we do not suggest posting in a group chat the names of

employees who are COVID-19 positive. Through Department
Memorandum No. 2020-0189, the Department of Health (DOH)
already laid down the procedure which a Personal Information
Controller (PIC), such as your office, must observe in relation to
contact tracing.5 As such, we recommend that the guidelines be
strictly observed since it provides the lawful basis which justifies the
processing of personal data of employees under the circumstances.
Consent not the appropriate basis for disclosure of
COVID-19 swab test results
2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).
3
See National Privacy Commission, NPC Advisory Opinion No. 2020-022 (8 June 2022).

ADVISORY OPINION NO. 202-022 143

Under the DPA, consent of the data subject that is freely given,
specific, and informed, is recognized as one of the lawful criteria for
processing.6 In the present case, however, the parties do not stand
on equal footing. In the field of data protection and privacy, it has
been recognized that there is a clear imbalance of power between
the employer and the employee because by the very nature of the
relationship, employees may not have genuine free choice and may
not subsequently be able to withdraw their consent without adverse
consequences.7 As such, consent is not the most appropriate basis
for processing since it can be tricky to ascertain if the employees
concerned freely gave their consent.

Instead, the appropriate lawful basis for processing relative to contact

tracing purposes is provided and limited by law and regulation, that is,
DOH Department Memorandum No. 2020-0189. Given this, it would
be inconsistent with the basis for processing to ask employees to
consent to such additional processing since it already goes beyond
the prescribed procedure under the regulation. Mere participation
in the survey in the group chat cannot be recognized as a positive
indication of valid consent since the elements of consent under the
DPA are not present. Moreover, asking the employees’ consent for
processing in addition to what is provided by the law and regulation
would be unjust and improper as the data subject may not be
able to distinguish the basis for which their personal data is being
processed. In present situation, the employees may feel the need to
give their consent for all things related to contact tracing.

Proper procedures already exist to address the demands of the

COVID-19 public health emergency while ensuring the protection
of the individual’s data privacy. As the PIC and employer, DCHD
should adhere with the requirements of the law as well as implement
strategies that are least intrusive to the rights and freedoms of its
employees. Even though the proposed disclosure in the group chat
is made with good intentions, this strategy may run afoul with the
employee’s data privacy.

4
See National Privacy Commission, Guidelines on the Processing of Personal Data During Public Health Emergencies
for Public Health Measures, NPC Circular No. 2021-02 [NPC Circular 21-02] (08 November 2021).
5
Department of Health, Update Guidelines on Contact Tracing of Close Contacts of Confirmed Coronavirus Disease
(COVID19) Cases, Department Memorandum No. 2020-0189 (17 April 2020).
6
Data Privacy Act of 2012, § 3 (b).
7
See Article 29 Working Party, Opinion 8/2001 on the processing at work (13 September 2001) available at https://
ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2001/wp48_en.pdf
(last accessed 31 March 2022).

144 THE 2022 COMPENDIUM OF NPC ISSUANCES

Please be advised that this Advisory Opinion was rendered based
solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

(Sgd.)
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

ADVISORY OPINION NO. 202-022 145

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0231

2022 - 023
11 November 2022

Re: DISCLOSURE OF STUDENTS’ PERSONAL DATA FOR

CASE BUILD-UP PURPOSES
Dear ,

We respond to your request for an Advisory Opinion on whether

the University of the Philippines Diliman (University) may disclose its
students’ personal data in connection with an “on-going case build-
up” preparatory to the filing of a case for violation of Republic Act
No. 11053 or the Anti-Hazing Act of 2018.2

As you have narrated, a

The lawyer of wrote the University’s Office of the
Vice Chancellor for Student Affairs asking for a list of the subject
fraternity’s: 1) alleged current members, 2) student and alumni
members, and 3) new recruits. The following specific information
pertaining to the listed individuals were also requested:

• Full name;
• Address;
• Phone number and/or email address;
• Enrolment, course, degree, and campus; and
• For new recruits, in addition to the above, their parents’ name,
addresses, phone number and/or email address.

The lawyer’s request for the forgoing is purportedly intended for a

1
Tags: disclosure of student personal information and sensitive personal information; Section 12 (f); Section 13 (f);
proportionality.
2
An Act Prohibiting Hazing and Regulating Other Forms of Initiation Rites of Fraternities, Sororities, and Other
Organizations, and Providing Penalties for Violations thereof, Amending for the Purpose Republic Act No. 8049,
Entitled “An Act Regulating Hazing and Other Forms of Initiation Rites in Fraternities, Sororities, and Organizations
and Providing Penalties therefor [Anti-Hazing Act of 2018], Republic Act No. 11053 (2018).

146 THE 2022 COMPENDIUM OF NPC ISSUANCES

case build-up, and to invite or summon potential witnesses and/or
co-complainants or co-plaintiffs.
You are thus concerned if the disclosure of such information is in line
with the Data Privacy Act of 2012 (DPA).3

Information requested are personal information and

sensitive personal information

The requested information are classified as personal information and

sensitive personal information (collectively, personal data) under the
DPA.

Specifically, names and contact details (addresses, phone numbers,

and email addresses) of the students and their parents are
considered as personal information under the DPA. On the other
hand, the requested information on enrolment, course, degree, and
campus may be considered as sensitive personal information since
it pertains to an individual’s education.

Lawful basis for processing under Section 13;

establishment of legal claims.

The disclosure of personal and sensitive information is considered

as processing under the DPA. Consequently, the same should be
based on the most appropriate lawful criterion for processing under
Sections 12 and 13, respectively.

In the present case, the avowed purpose for the request for
information is to build-up a case and invite or summon potential
witnesses and/or co-complainants for the filing of a case for violation
of the Anti-Hazing Act of 2018.

For the sensitive personal information requested, the disclosure

may find basis under Section 13 (f), viz.:

SECTION 13. Sensitive Personal Information and Privileged Information. –

The processing of sensitive personal information and privileged information

3
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data Privacy
Act of 2012], Republic Act No. 10173 (2012).
4
Data Privacy Act of 2012, § 13 (f).
5
National Privacy Commission, NPC Advisory Opinion No. 2021-36 (Sept. 23, 2021) citing National Privacy
Commission, NPC 19-653 (Dec. 17, 2020).

ADVISORY OPINION NO. 202-023 147

 shall be prohibited, except in the following cases: x x x

(f) The processing concerns such personal information as is necessary

for the protection of lawful rights and interests of natural or legal
persons in court proceedings, or the establishment, exercise or
defense of legal claims, or when provided to government or public
authority.4 (emphasis supplied)

The term “establishment” may include activities to obtain evidence

by lawful means for prospective court proceedings.5

On the other hand, the disclosure of personal information may be

justified as falling under legitimate interest criterion in Section 12 (f):

SECTION 12. Criteria for Lawful Processing of Personal Information. The

processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:
xxx

(f) The processing is necessary for the purposes of the legitimate

interests pursued by the personal information controller or by a
third party or parties to whom the data is disclosed, except where
such interests are overridden by fundamental rights and freedoms
of the data subject which require protection under the Philippine
Constitution. (emphasis supplied)

In the case of BGM vs. IPP,6 the Commission articulated that the
protection of lawful rights and interests under Section 13(f) is
considered as legitimate interest pursuant to Section 12(f):

Although Section 13(f) applies to sensitive personal information, the

protection of lawful rights and interests under Section 13(f) by the
Respondent is considered as legitimate interest pursuant to Section 12(f)
of the DPA. This section provides that it is lawful to process personal
information if it is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.

By application in the instant case, Respondent may not be held liable for
unauthorized processing should it disclose the requested information

6
National Privacy Commission, NPC 19-653 (17 December 2020)
7
National Privacy Commission, NPC Case No. 17-018 (15 July 2019).
8
Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No. 10173, § 18 (c) (2016).

148 THE 2022 COMPENDIUM OF NPC ISSUANCES

 to Complainant as its disclosure would be in pursuance of the latter’s
legitimate interest as the same cannot be fulfilled by other means.
Thus, the disclosure of the requested personal data for the declared
purpose finds support under the DPA. We emphasize that the DPA
is neither a tool to prevent the discovery of a crime nor a means to
hinder legitimate proceedings.7

Proportionality of processing; necessity of personal

data requested vis-à-vis the specified and declared
purposes

Nonetheless, utmost consideration must also be given to the general

data privacy principle of proportionality. The University should
evaluate whether the personal data requested is relevant and is
not excessive to the purpose. Note that while the law may allow
processing when there is a lawful basis for the same, the processing
of personal data remains to be subject to the proportionality principle
which requires that the processing shall be adequate, relevant,
suitable, necessary, and not excessive in relation to a declared and
specified purpose.8

As such, the University should determine whether to disclose all

requested information taking into consideration the information
stated in the request letter and its necessity and relevance to the
declared purposes.

Should the University deem it proper to grant the request, it is

recommended that the requesting party be made to sign an
undertaking that the use of the requested information will only be
for the purpose for which it is requested (i.e., filing a complaint for
violation of the Anti-Hazing Act of 2018). Further, the proper disposal
of such personal data should be ensured should the parties decide
not to pursue the filing of the case. Likewise, the undertaking must
include a clause to the effect that the requesting party acknowledges
that he or she becomes a personal information controller (PIC) upon
receipt of the requested documents and, therefore, is bound to
observe the obligations of a PIC under the DPA.9

Lastly, should the information be provided, its use should be limited

to the declared purpose of filing formal/legal charges by the

ADVISORY OPINION NO. 202-023 149

concerned or affected individual who allegedly suffered damages.
Thus, the sharing, posting or any publication of such information
in any public-facing platform such as social media pages or public
groups is prohibited. We caution that should there be processing
beyond the stated purpose, the same may be penalized under the
appropriate provisions of the DPA, such as Unauthorized Processing
of Personal Information, Processing of Personal Information for
Unauthorized Purposes or Unauthorized Disclosure.10

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

SGD.
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

9
National Privacy Commission, NPC Advisory Opinion No. 2021-044 (29 December 2021).
10
See: National Privacy Commission, NPC Advisory Opinion No. 2022-005 (24 February 2022).

150 THE 2022 COMPENDIUM OF NPC ISSUANCES

 ADVISORY OPINION
ADVI SO RY O PI N I ON

NO. 2022-0241
2022 - 024

21 November 2022

Re: FREE FLOW OF DATA

Dear ,

We respond to your inquiry regarding the concept of the free flow

of data. You cited in your letter the discussions on the concept of
“free flow of data” in high-level statements of the APEC,2 and G20.3
Likewise, in the WTO Joint Statement Initiative on e-commerce,
the relevant working text refers to the “flow of information” as well
as “cross-border transfer of information by electronic means” or
“cross-border data flows.”

You further inform that trade agreements have also evolved to meet
changing digital realities, with provisions relating to enabling trusted
data flows by developing mechanisms to protect personal data
being transferred across borders and allow businesses to transfer
information across borders regardless of where they are located.

It is in this context that the Bureau of International Trade Relations

(BITR) of the Department of Trade and Industry (DTI) is inquiring

1
Tags: free flow of data; data transfer; cross-border data transfer; accountability.
2
APEC Internet and Digital Economy Roadmap: Key focus area of “Facilitating the free flow of information and data
for the development of the Internet and Digital Economy, while respecting applicable domestic laws and regulations”;
APEC Putrajaya Vision 2040: Innovation and Digitalization pillar, wherein members have committed to “strengthen
digital infrastructure, accelerate digital transformation, narrow the digital divide, as well as cooperate on facilitating
the flow of data and strengthening consumer and business trust in digital transactions; APEC Cross-Border Privacy
Rules (CBPR) System and APEC Privacy Framework: Preamble states that “a key part of efforts to improve consumer
confidence and ensure the growth of electronic commerce must be cooperation to balance and promote both
effective information privacy protection and the free flow of information in the Asia Pacific region.”
3
At the G20, Japan launched the Osaka Track based on the concept of “data free flow with trust” (DFFT) as an
organizing principle for a global approach to data governance. It should be noted that DFFT has been pushed by
Japan in APEC, although with resistance among the developing economy members. A few APEC economies have
openly expressed reservations on the use of “free” in relation to data flows.

ADVISORY OPINION NO. 202-024 151

whether the concept of the free flow of data falls under the purview
of the Data Privacy Act of 20124 (DPA) or in other related law or
policy, and if the National Privacy Commission (NPC) foresees any
future implications on data localization, data sovereignty, and data
protection. The BITR likewise requests for any information, views, or
insights to inform and guide the BITR on the stage of the Philippines’
work in terms of establishing a framework to govern cross-border
e-commerce and data flows.

Free flow of data and the Data Privacy Act of 2012

Section 2 on the Declaration of Policy of the Data Privacy Act of

20125 (DPA) states that:

It is the policy of the State to protect the fundamental human right of

privacy, of communication while ensuring free flow of information to
promote innovation and growth. The State recognizes the vital role of
information and communications technology in nation-building and its
inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are
secured and protected.

The DPA indeed concerns itself with the free flow of data but limited
to the specific context of personal data processing6 only. The law
has the twin task of protecting the right to privacy while ensuring
the free flow of information.

This means recognizing the fundamental right of individuals to the

protection of the privacy of their personal data, and at the same
time, recognizing interests of the government and the private sector
in the processing of personal data which is vital in the implementation
of constitutional and statutory mandates and in lawful business
operations, respectively.

4
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012)
5
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).
6
Id. § 3 (j): Processing refers to any operation or any set of operations performed upon personal information
including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or destruction of data.
7 See generally: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of such
data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union,
Vol. L119, Recital 53 (4 May 2016) and Organisation for Economic Co-operation and Development (OECD) Guidelines
Governing The Protection Of Privacy And Transborder Flows Of Personal Data, Paragraphs 17-18 (Amended on
11/07/2013).

152 THE 2022 COMPENDIUM OF NPC ISSUANCES

The use of the term “free” in relation to “flow of information” is
not intended to denote absoluteness in the use and/or transfer
of information by personal information controllers (PICs) whether
locally or across transnational borders. Any processing of personal
data is still regulated and subject to the requirements of the DPA
and issuances of the NPC.

We note that this interpretation is similar and consistent with other

international instruments and laws on data privacy. There is a
recognition that free flow of data should be facilitated but subject to
the implementation of sufficient safeguards and where appropriate,
conditions, limitations, or restrictions on the flow of data should be
proportionate to the risks of the personal data processing activity.7

Likewise, the NPC is cognizant that cross-border data flows can have
significant benefits for economic growth and that data governance
is essential in the context of rapid digitalization.

The DPA does not serve as a barrier to the free flow of data
across borders so long as appropriate safeguards on personal
data protection are in place. This means that transfer of personal
data must adhere to general privacy principles of proportionality,
transparency, and legitimate purpose.8 PICs must also ensure that
recipients of personal data outside the Philippines process data in
a manner consistent with requirements of the DPA and must put in
place contractual or other reasonable safeguards to guarantee a
comparable level of protection for data transferred.

Relevant policies on data transfers

Related to the concept of free flow of data is the principle on secure

and trusted transfer of personal data. Section 21 of the DPA states
that:

Section 21. Principle of Accountability. – Each personal information

controller is responsible for personal information under its control or
custody, including information that have been transferred to a third party
for processing, whether domestically or internationally, subject to cross-
border arrangement and cooperation.

8
Data Privacy Act of 2012, §11.
9
National Privacy Commission, NPC 19-910 (17 December 2020).
10
National Privacy Commission, Data Sharing Agreements [NPC Circular No. 2020-03], (December 23, 2020).

ADVISORY OPINION NO. 202-024 153

 a. The personal information controller is accountable for complying
with the requirements of this Act and shall use contractual or other
reasonable means to provide a comparable level of protection
while the information are being processed by a third party. x x x

In the case of In Re: FLI Operating ABC Online Lending Application,9

the NPC expounded that the PIC cannot surrender its accountability
and responsibility to prevent any unauthorized processing under
the DPA to the Personal Information Processor (PIP). The NPC ruled
therein that the respondent cannot be absolved of its violations of the
DPA on the argument that the processing for purposes of collections
was subcontracted. The NPC explained that the respondent cannot
escape the fact that it was in the position to control and exercise
discretion over what personal information it processed and the
extent of its processing.

In connection with the principle of accountability on transfers of

personal data in Section 21 of the DPA, the NPC also issued NPC
Circular No. 2020-0310 on Data Sharing Agreements. In essence, the
NPC explained that data sharing requires that the sharing, disclosure,
or transfer to a third party of personal data should adhere to the
general data privacy principles of transparency, legitimate purpose,
and proportionality. Likewise, organizations should implement
reasonable and appropriate organizational, physical, and technical
security measures intended for the protection of personal data
against any accidental or unlawful destruction, alteration, and
disclosure, as well as against any other unlawful processing.

Mechanisms to facilitate cross-border transfers of personal data

that comply with privacy and data protection requirements and
principles are likewise an area of importance. Thus, the NPC
issued NPC Advisory No. 2021-02 on the Guidance for the use of
the ASEAN Model Contract Clauses and ASEAN Data Management
Framework. This Advisory recognizes the value of these initiatives
to data privacy protection and trustworthy cross-border data flows
and hence, promotes the adoption and use in its domestic legal
framework. This Advisory also aims to provide additional guidance
to supplement the ASEAN Model Contractual Clauses and ASEAN
Data Management Framework as to how personal information
controllers (PICs) and processors (PIPs) in the Philippines may use
these in their respective personal data processing activities.

154 THE 2022 COMPENDIUM OF NPC ISSUANCES

Further, the NPC continues to foster collaboration with like-minded
jurisdictions in supporting privacy-respecting cross-border data
flows through the APEC Cross Border Privacy Rules (CBPR) System
and the Global CBPR Forum. This is in line with NPC’s mission of
establishing a regulatory environment that ensures accountability in
the processing of personal data and promotes global standards for
data privacy and protection.

Future implications on data localization, data

sovereignty, and data protection

At this juncture, it would be speculative for the NPC to provide

an answer to the posited question of whether the NPC foresees
any future implications on data localization, data sovereignty, and
data protection vis-à-vis the concept of the free flow of data.11
Nevertheless, the NPC remains proactive in fulfilling its mandate and
will respond and adapt appropriately according to the call of the
times.

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact
that may be subsequently furnished to us may affect our present
position. Please note further that our Advisory Opinion is not intended
to adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

(Sgd.)
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

National Privacy Commission, Rules of Procedure on Requests for Advisory Opinions [NPC Circular 18-01], § 5 (b) (4)
11

(September 10, 2018).

ADVISORY OPINION NO. 202-024 155

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0251

2022 - 025
22 November 2022

Re: 201 FILES OF GOVERNMENT EMPLOYEES

Dear ,

We respond to your inquiry concerning the rights of government

employees to their 201 files and other information processed by a
government agency.

You inform that you have been an employee of the Department of

Agriculture
In September 2020, you received a Special Order reassigning
you to a remote province. You filed an appeal before the Civil
Service Commission (CSC) to assail your reassignment. Pending your
appeal, you requested to be reinstated at your original station but
was denied. Months later, you were dropped from the rolls without
notice. As a result, you filed another petition before the CSC for
being dropped from the rolls.

To support your petition, you requested for a copy of your 201 file
which is in the custody of the Human Resources Office of DA-
In your letters to the Officer-in-Charge Regional Director (OIC-RD),
you insisted that government employees are entitled to copies of
Director (OIC-RD), you insisted that government employees are
entitled to copies of their 201 files citing relevant CSC rules and the
Data Privacy Act of 2012.

Through a 31 March 2022 letter, the OIC-RD denied your request for
copies of your 201 Files stating that:

1
Tags: 201 files; government employee; Civil Service Commission; right to access; data subject rights; legal claims.

156 THE 2022 COMPENDIUM OF NPC ISSUANCES

 “… as an employee that is deemed Dropped from the Rolls, the Office has no
more recourse left but to turn-over his/her 201 files. However, MC Number
1, series of 2011, of the Civil Service Commission, generally instructed the
NGAs, GOCCs and SUC to undertake the turning over of 201 files to all
those applicable former employees perhaps in batches, as the procedure
provided in the mentioned MC entails coordination with several offices
and requires the necessary clearances from affected former employees.”

In addition, the OIC-RD reasoned that, “as a former government

employee, the provisions of the Data Privacy Act of 2012 do not
apply to you.” He cited Section 4 (a) of the Data Privacy Act of
20122 (DPA) and stated that the provisions of the DPA should be
read together with the necessary Civil Service Rules and Issuances.
201 files; government employees are data subjects with
data privacy rights; the establishment, exercise or
defense of legal claims

We refer to CSC Memorandum Circular No. 8, series of 2007 (MC

08-2007)3 which states that government employee’s 201/120 file
consist of copies of the following documents:

a) Appointments [CSC Form 33]

b) Assumption to Duty
c) Certification of Leave Balances (for transferees)
d) Clearance from Property and Money Accountabilities
(for transferees)
e) Contracts of Services (if applicable)
f) Copies of Certificates of Eligibilities
g) Copies of Diplomas, Commendations and Awards
h) Copies of Disciplinary Actions (if any)
i) Copy of Marriage Contract (if applicable)
j) Designations
k) Medical Certificate [CSC Form 211]
l) NBI Clearance
m) Notice of Salary Adjustments/Step Increments
n) Oath of Office
o) Personal Data Sheet [CSC Form 212]
p) Position Description Forms

2
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).
3
Civil Service Commission, “Management of 201/120 Files” [CSC Memorandum Circular No. 8, series of 2007], 17 May
2007 (available at http://www.csc.gov.ph/2014-02-21-08-28-23/pdf-files/category/32-mc-
2007 html?download=321 mc8s2007)
4
National Privacy Commission, NPC Advisory Opinion No. 2018-028 (16 May 2018).

ADVISORY OPINION NO. 202-025 157

In Advisory Opinion No. 2018-028,4 we had the occasion to discuss
that an employee, being a data subject, is entitled to have reasonable
access to the personal information in his/her 201 file:

Accordingly, Employee A, being a data subject, is entitled to have

reasonable access to the personal information in her 201 file. She may
exercise her right to access in the manner provided under the DPA but
she must still abide by company protocols in accessing her 201 file.

Under the law, the company is obligated to respond and grant reasonable
access to subject request. Should the request be ignored or denied, a
complaint with the NPC may be initiated following the procedure laid
down in NPC Circular No. 2016-04, as one of NPC’s functions is to enforce
and effectively implement the provisions of the DPA, including those
pertaining to the rights of data subjects.

In addition, the National Privacy Commission (NPC) issued NPC

Advisory No. 2022-01, “Guidelines on Requests for Personal Data
of Public Officers”5 to provide guidance in dealing with personal
and sensitive personal information (collectively, personal data) of
government employees. The said Advisory unequivocally states
that public officers and employees are recognized as data subjects
with all the concomitant rights and available redresses, viz.:

C. Public officers are data subjects within the purview of the Act, with
all the concomitant rights and available redresses under the same.
However, certain personal data relating to their positions and functions is
subject to certain exceptions provided in the Act and disclosures required
under other applicable laws.

In these exceptional cases, these information relating to their position and

official functions are not covered by the DPA. However, the exemption
is not absolute. The exclusion of such information from the scope of the
law is interpreted as an exemption from complying with the requirements
of Sections 12 or 13 on lawful criteria for processing; and the collection,
access, use, disclosure, or other processing is limited to the minimum
extent necessary to achieve the purpose, function, or activity concerned.
Personal information controllers (PICs) undertaking the processing of such
information remain to be subject to the other requirements of the DPA,
including implementing security measures to protect personal data and
upholding the rights of the public officers as data subjects.6

5
National Privacy Commission, Guidelines on Requests for Personal Data of Public Officers [NPC Advisory No. 2022-
01], (4 February 2022), available at: https://www.privacy.gov.ph/wp-content/uploads/2022/02/NPC-Advisory-No.-
2022-01-Request-for-Personal-Data-of-Public-Officers.pdf.
6
Id., at §3(C). (Emphasis supplied.)

158 THE 2022 COMPENDIUM OF NPC ISSUANCES

Consequently, the unequivocal statement of the OIC-RD that the
provisions of the DPA do not apply to government employees is
misplaced. As a data subject, you have data privacy rights to your
own personal data, including the right to access such information. A
PIC must have policies to facilitate the exercise of a data subject’s
right to access. These policies must include, among others, the
procedure to acquire the information, the retention period of the data
and the mode of disposal or deletion. Thus, you should be provided
with the information you requested in accordance with the policies
of DA- on a data subject’s right to access information and
the retention period for personal and sensitive personal information,
as well as other existing policies related to government employment
records.

In addition, you mentioned that your request for a copy of your 201
files is to support your petition before the CSC to question your
reassignment and your eventual dropping from the rolls. Thus, the
request is made for the establishment, exercise or defense of legal
claims which is a lawful criterion for processing under Section 13 (f)
of the DPA, to wit:

SECTION 13. Sensitive Personal Information and Privileged Information. —

The processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases: x x x

(f) The processing concerns such personal information as is necessary

for the protection of lawful rights and interests of natural or legal persons
in court proceedings, or the establishment, exercise or defense of legal
claims, or when provided to government or public authority.

In EA and TA vs. EJ, EE and HC the Commission emphasized that:

“…processing as necessary for the establishment of legal claims” does not

require an existing court proceeding. To require a court proceeding for the
application of Section 13(f) to this instance would not only be to disregard
the distinction provided in the law but the clear letter of the law as well.
After all, the very idea of “establishment … of legal claims” presupposes
that there is still no pending case since a case will only be filed once the
required legal claims have already been established.

7 EA and TA vs. EJ, EE and HC, NPC 17-018, Decision dated 15 July 2019, at page 8.
8 Civil Service Commission, “Addendum to CSC Memorandum Circular No. 8, s. 2007 on Management of 201/120
Files” [CSC Memorandum Circular No. 1, series of 2011], 17 January 2011 (available at
http://www.csc.gov.ph/phocadownload/userupload/itduser/mc01s2011.pdf).

ADVISORY OPINION NO. 202-025 159

The turnover of 201 files under CSC Memorandum 1,
Series of 2011 is separate from a government
employees’ exercise of his right to access.

The OIC-RD referred to CSC Memorandum Circular No. 1, Series of

2011 (MC 01-2011)8 in refusing to provide you with your 201 files. MC
01-2011, which is an addendum to MC 08-2007 on the Management
of 201/120 files of government employees, provides for guidelines on
how the turnover of 201/120 files should be done in case personnel
resigns, retires or is separated.

Since you are requesting for your 201 file to support your petition
against what you perceive to be an unjust personnel action, going
through the processes described under MC 01-2011 might be against
your interest. Thus, the NPC takes this opportunity to state that
the exercise of your right to access your personal data is separate
from the processes that a government employee needs to undergo
for the turnover of 201 files in cases of separation, retirement, or
resignation.

The NPC subscribes to the harmonization of existing laws and

relevant government issuances. However, it must be noted that in
this situation, you are contesting your separation from the service.
This should not hinder your right to access your own personal data.
Neither should your right to access your information be detrimental
to your petition.

Moreover, it is evident that you are not requesting for the turnover of
your 201 files but only for copies of the files to support your petition.
On this note, MC 08-2007 provides that the head of office in charge
of Human Resource Management shall “provide the personnel
concerned with original copies of the agency and approved
appointment as well as duplicate/machine copies of document in
the 201/120 file for their own record.”9

This means that access to such information should be allowed even

without the need to go through the process of turning over of 201
files. Further, MC 08-2007 provides that that the head of office in
charge of Human Resource Management shall also be responsible for
the establishment, maintenance and disposal of 201/120 files.10 Thus,
in accordance with MC 08-2007 and NPC Advisory No. 2022-01,
the Department of Agriculture should have a mechanism to enable

160 THE 2022 COMPENDIUM OF NPC ISSUANCES

the exercise of the right to access personal and sensitive personal
information, including its employees’ 201 files, without stringent and
excessive requirements.

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact
that may be subsequently furnished to us may affect our present
position. Please note further that our Advisory Opinion is not intended
to adjudicate the rights and obligations of the parties involved.
Please be guided accordingly.

Very truly yours,

(Sgd.)
FRANKLIN ANTHONY M. TABAQUIN IV
Director IV, Privacy Policy Office

Id.
10

Ref No.: PDD-22-00301

ADVISORY OPINION NO. 202-025 161

ADVISORY OPINION

ADVI SO RY O PI N I ON
NO. 2022-0261

2022 - 026
23 November 2022

Re: DISCLOSURE OF PERSONAL DATA THROUGH THE

DATABASE OF INDIVIDUALS BARRED FROM TAKING
CIVIL SERVICE EXAMINATIONS AND FROM ENTERING
GOVERNMENT SERVICE (DIBAR)

Dear ,
We respond to your request for clarification on whether the online
disclosure of personal data of dismissed officials/ employees
through the Database of Individuals Barred from Taking Civil Service
Examinations and from Ente1ing Government Service (DIBAR), would
violate the Data Privacy Act of 2012 (DP A),2 considering that the
posting of such personal data is part of the constitutional mandate
of the Civil Service Commission (CSC).

We understand that the CSC, through the Integrated Records

Management Office, developed the DIBAR which is an electronic
database of government officials and employees who have been
dismissed and precluded from being re-hired in the government
service. The DIBAR contains information on the administrative
decision against the conce1ned officials/ employees, which includes
the offense committed and penalty imposed. It also contains the
following: name, agency, civil service eligibility, date and place of
exam, exam rating, gender, date and place of birth, occupation
catego1y, and position of the employee. This information is necessaiy
for identity velification of a dismissed official/ employee to ensure
that he/ she will neither be re-hired in the government service nor
be able to retake ai1y civil service examination.

1
Tags: Civil Service Commission, constitutional mandate, exemption, disclosure, database, sectu-ity measmes, privacy
impact assessment, proportionality, rights of data subjects, right to rectification.
2
Republic Act (R.A.) No. 10173.

162 THE 2022 COMPENDIUM OF NPC ISSUANCES

You further mentioned that the DIBAR was previously posted in
the CSC Website accessible to all government agencies but was
subsequently removed in 2018 as a form of self-regulation by the
CSC in observance of the DPA.

Processing of personal data pursuant to a

constitutional or statutory mandate; extent
of exemption from the DPA

Section 4 of the DPA states that the law applies to the processing
of all types of personal information and to any natural and juridical
person involved in personal information processing. Likewise, it
provides for certain exemptions, including those personal data
necessary in order to carry out the functions of public authority, in
accordance with a constitutionally or statutorily mandated function
pertaining to law enforcement or regulatory function, including the
performance of the functions of the independent, central monetary
authority, subject to restrictions provided by law.3

Such exemption, however, is only to the minimum extent of collection,

access, use, disclosure, or other processing necessary to the
purpose, function, or activity concerned.4 The non-applicability of the
DPA or its Implementing Rules and Regulations (IRR) do not extend
to personal information controllers (PICs) or personal information
processors (PIPs), who remain subject to the requirements of
implementing security measures for personal data protection.5 Thus,
for the exemption to apply, the personal data processed by public
authorities must be necessary to carry out their function as a law
enforcement agency or regulatory body, and that such processing
is in accordance with their constitutional or statutory mandate.

The CSC, as the central personnel agency of the government, is

constitutionally mandated to establish a career service and adopt
measures to promote morale, efficiency, integrity, responsiveness,
progressiveness, and courtesy in the civil service. It shall strengthen
the merit and rewards system, integrate all human resources
development programs for all levels and ranks, and institutionalize a
management climate conducive to public accountability.6
3
Data Privacy Act of 2012, § 4 (e); Rules and Regulations Implementing the Data Privacy Act of 2012, Republic Act No.
10173 (2016), § 5 (d).
4
Rules and Regulations Implementing the Data Privacy Act of 2012, § 5.
5
Ibid.
6
PHIL. CONST. art. 9 (B) § 3; See also Executive Order No. 292, Book V, Title I, Subtitle A, Chapter 1, § 1.

ADVISORY OPINION NO. 202-026 163

We recognize that in order to uphold the principle of merit and fitness
in the government service, the CSC has to establish a system for
the selection and retention of those who are found to be qualified
and the exclusion of those who have been adjudged unfit to hold
government office due to having been dismissed for cause from
the government service. Hence, it is within the CSC’s mandate to
develop and utilize the DIBAR for the purpose of identity verification
of dismissed officials/employees for the use of all government
agencies, and the same is treated as a special case under Section 5
(d) of the IRR of the DPA.

Implementation of security measures

We nonetheless underscore that as a PIC, the CSC is still required

under the DPA to implement reasonable and appropriate
organizational, physical, and technical security measures for
the protection of personal data within its custody.7 The security
measures shall maintain the availability, integrity, and confidentiality
of personal data and are intended for the protection of personal
data against any unlawful processing.8

This obligates the CSC to ensure that any natural person acting under
their authority and who has access to personal data in the DIBAR,
processes the data contained therein only upon proper instruction
or as required by law.9 The CSC should limit the access to DIBAR
only to specific authorized users whose functions necessitate such
access, such as the designated personnel from the Human Resource
(HR) department/division of government agencies.

It is also incumbent upon the CSC to establish and implement data

protection policies specific for the DIBAR, taking into account the
nature, scope, context, and purposes of the processing, as well as
the risks posed to the rights and freedoms of the dismissed officials/
employees who are the data subjects.10 For further information on
security measures for the protection of personal data, please refer
to Sections 25-29 and 30-33 of the IRR of R.A. No. 10173.

Privacy impact assessment

7 Rules and Regulations Implementing the Data Privacy Act of 2012, § 25.
8 Ibid.
9 Ibid.
10 Rules and Regulations Implementing the Data Privacy Act of 2012, § 26 (b). 11 Id. § 30-33.

164 THE 2022 COMPENDIUM OF NPC ISSUANCES

We also highlight that all sensitive personal information in the
DIBAR should be secured, as far as practicable, with the use of
the most appropriate standard recognized by the information and
communications technology industry, subject to the IRR and other
issuances of the National Privacy Commission (NPC).11 CSC should
conduct a Privacy Impact Assessment (PIA) prior to the adoption of
the DIBAR. In CID Case No. 17-K-003, we discussed the following:

“A PIA should be conducted prior to the deployment of a project, product,

or service that involves the collection of personal information. When
there are new or revised industry standards, organization policy, law
or regulation, or when there are changes to methods in which personal
information is handled, a personal information controller should conduct a
PIA again on the pertinent process.

To emphasize, it should not only identify the existing controls and risks a
project, product, or service may have upon personal data privacy, but it
should lead to the identification of remedial actions or mitigation measures
necessary to avoid or reduce those risks. These remedial actions and
mitigation measures may be incorporated in the organization’s Privacy
Management Program (PMP).”

For further guidelines, please refer to NPC Circular No. 2016-01 -

Security of Personal Data in Government Agencies and NPC Advisory
No. 2017-03 - Guidelines on Privacy Impact Assessments.

Adherence to general data privacy principles;

proportionality

In the implementation of the DIBAR, the CSC should also adhere to

the general data privacy principles provided under the DPA and its
IRR, particularly the principle of proportionality.

The CSC must ensure that the disclosure of personal data to the
government agencies, through the DIBAR, is limited to the declared
and specified purpose. Similarly, only those personal data that are
adequate, relevant, suitable, necessary, and not excessive in relation
to the purpose should be disclosed.

As such, personal data disclosed to the authorized users should

be limited to information necessary to verify the identity of the
dismissed officials/employees. The CSC should determine and
evaluate whether all the personal data indicated are indispensable
for the purpose of ascertaining the identity of those included in the
DIBAR. Likewise, the DIBAR should not be publicly accessible online,
considering that the information stated therein may be considered

ADVISORY OPINION NO. 202-026 165

sensitive personal information, particularly those involving the
offense committed by the concerned officials/employees and the
penalty imposed.

Fair and accurate processing; limitations on data

subject rights

In addition, the CSC has the obligation to ensure that all personal
data are processed fairly and lawfully, and are accurate, relevant and,
kept up to date.12 In case of inaccurate or incomplete personal data
in the DIBAR, the same must be rectified, supplemented, destroyed
or their further processing restricted by the CSC.13

The CSC should also provide means for the exercise of data subject
rights. However, we emphasize that these rights are not absolute
and may be duly restricted when necessary for public interest,
protection of other fundamental rights, or when the processing
of personal data is for investigations in relation to any criminal,
administrative, or tax liabilities of a data subject, among others.

Considering the foregoing, we clarify the minimum requirements

and recommend the following:

• Since the DIBAR was developed only for the use of all
government agencies, CSC shall not provide access to the
public, even though it is made available on its website. For this
purpose, the CSC may update the DIBAR by incorporating
an identity verification of the authorized users, such as
requiring a username and password and other Multi-Factor
Authentication (MFA) methods.
• Only authorized HR personnel from government agencies
shall be given access to the DIBAR.
• There should be adequate safeguards to protect CSC’s
computer network against accidental, unlawful or unauthorized
usage, or any interference which will affect data integrity or
hinder the functioning or availability of the DIBAR.
• Prior to the adoption of the DIBAR, CSC should conduct a PIA.
• The CSC should have available mechanisms for the exercise
of the rights of the data subjects where applicable, such as
the right to rectification.

12 Data Privacy Act of 2012, § 11 (b) (c).

13 Ibid.

166 THE 2022 COMPENDIUM OF NPC ISSUANCES

We trust that the CSC is aware of its obligations under the DPA, its
IRR, and issuances of the NPC, such as NPC Circular No. 16-01 on the
Security of Personal Data in Government Agencies and NPC Circular
No. 16-03 on Personal Data Breach Management, among others.

Please be advised that this Advisory Opinion was rendered based

solely on the information you have provided. Any extraneous fact that
may be subsequently furnished us may affect our present position.
Please note further that our Advisory Opinion is not intended to
adjudicate the rights and obligations of the parties involved.

Please be guided accordingly.

Very truly yours,

FRANKLIN ANTHONY M. TABAQUIN IV

Director IV, Privacy Policy Office

ADVISORY OPINION NO. 202-026 167

168 THE 2022 COMPENDIUM OF NPC ISSUANCES
ECV,
Complainant,
-versus-

NPC 18-074
For: Violation of the Data Privacy Act of 2012

CVF,

Respondents.
x----------------------------------------------------x

DECISION

NAGA, P.C.;

Before this Commission is a Complaint filed by ECV against CVF for

violating Republic Act No. 10173, also known as the Data Privacy Act
of 2012 (DPA).1

Facts

ECV, in her Complaints-Assisted Form dated 23 July 2018, alleged

that CVF obtained a copy of her Marriage Certificate “without any
authority.”2
ECV narrated that on 30 November 2017, CVF humiliated her when
the latter alleged that she was a mistress.3 When confronted by
ECV’s son about her proof of such claim, CVF allegedly responded
that she was able to get a copy of the Marriage Certificate of “the
first family of UD from the [National Statistics Office].”4 The National
Statistics Office (NSO) was the previous name of the Philippine

1
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for This Purpose a National Privacy Commission, and for Other Purposes, [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).
2
Complaints-Assisted Form dated 23 July 2018 of ECV, at page 2.
3
Id.
4
Id., at pages 2-3.

ADVISORY OPINION NO. 202-026 169

Statistics Authority (PSA).5

In a subsequent email to the Commission sent on 06 August 2018,

ECV stated that CVF was able to acquire her Marriage Contract
from the PSA without her knowledge and permission.6 ECV attached
scanned copies of two (2) Philippine National Police (PNP) Incident
Record Forms in the email to support her complaint.7 ECV narrated
that CVF confronted her and said in the vernacular that she was a
mistress.8 As evidence of the claim, CVF uttered that she had her
NSO Marriage Certificate.9

Subsequently, ECV informed the Commission, through an email sent

on 07 August 2018 at 1:46 AM, that she received a copy of CVF’s
administrative complaint against her for misconduct.10 She claimed
that:

There are two Marriage Contract[s] from Philippine Statistics Authority

attached in the last part of the affidavit that they have submitted to the
Department of Education, Region X - Northern Mindanao, Cagayan de Oro
City. The Marriage Contract belongs to RV & ECV and RV & EI. I know this
is an opportunity to file a complaint and protect my rights.11

In the email, ECV attached a Complaint dated 09 May 2018 filed

before the Department of Education (DepEd) for Misconduct (DepEd
Complaint), which included, as an attachment, ECV’s Marriage
Contract with RV dated 10 July 1987.12 In a succeeding email sent at
1:47 AM of the same day, ECV attached a letter in response to the
DepEd Complaint.13 In the letter, she claimed that CVF is in violation
of Section 25 of the DPA.14

5
See An Act Reorganizing the Philippine Statistical System, Repealing for the Purpose Executive Order Numbered
One Hundred Twenty-One, Entitled “Reorganizing and Strengthening the Philippine Statistical System and for Other
Purposes”, [Philippine Statistical Act of 2013], Republic Act No. 10625, § 28 (2013).
6
Email of ECV sent on 06 August 2018.
7
Id. PNP Incident Record Form Entry No. XXX-1 and PNP Incident Record Form Entry No. XXX-2, both dated 04
December 2017.
8
Id. at PNP Incident Record Form Entry No. XXX-2 dated 04 December 2017.
9
Id.
10
Email of ECV sent on 07 August 2018, 1:46 AM.
11
Id.
12
Id., See Complaint dated 09 May 2018 of CVF.
13
Email of ECV sent on 07 August 2018, 1:47 AM. See Letter dated 12 July 2018 of ECV.
14
Id, at page 1.

170 THE 2022 COMPENDIUM OF NPC ISSUANCES

The Commission, through the Complaints and Investigation Division
(CID), issued an Order to Confer for Discovery, which directed the
parties to appear before the Commission on 18 October 2018.15

During the discovery conference, both parties appeared and

manifested that they were willing to enter into a settlement.16 In an
email sent on 09 November 2018, ECV manifested that the “agreed
Amicable Settlement did not prosper”, and attached further evidence
for the proceedings, including a Supplemental Complaint Affidavit
dated 07 November 2018 (Supplemental Affidavit).17

The Supplemental Affidavit stated the following allegations, among

others:

1. That I am the Complainant in the CID Case No. 18-5-074 xxx

2. That the Respondent is CVF xxx

3. That on November 30, 2017, while supervising the repair of our fence,
she confronted me and uttered defamatory statements;

4. That the utterance expressed that I am only a mistress;

5. That my son JCV was agitated and immediately asked her if she has
evidence regarding her allegations and the Respondent said that they
obtained Marriage Contracts from the NSO. xxx

xxx

7. That the respondent answered that they have obtained from the NSO
a Marriage Contract from another wife and our own Marriage Contract;

8. That on December 3, 2017, another incident occurred and I personally

saw CF mother of the respondent waving a pieces of paper (sic) which
happens to be my Marriage Contract and the Marriage Contract of
my husband to his first wife while the respondent is uttering the same
defamatory remarks;

xxx

15
Order to Confer for Discovery, undated, at page 1.
16
See Order dated 13 April 2019, at page 1.
17
Email of ECV sent on 09 November 2018.

ADVISORY OPINION NO. 202-026 171

 10. That aside from the defamatory remarks uttered against me, she also
filed a malicious complaint before Department of Education, Region X,
charging me of Misconduct;

11. That some of the pieces of evidence attached are my Marriage Contract
and the Marriage Contract of my husband to his other wife;18 (Emphases
supplied)

In an Order dated 13 April 2019, the CID directed the parties to submit
their Compromise Agreement within fifteen (15) days from receipt
thereof. Should the parties fail to do so, CVF was ordered to file her
Comment within ten (10) days from conclusion of the proceedings,
ECV was given ten (10) days from their receipt of the comment to
file her Reply, and CVF was given ten (10) days from receipt of the
Reply to file her Rejoinder.19

CVF submitted a Manifestation of Compliance dated 07 June 2019.20

She manifested that no compromise agreement was reached and
attached her Responsive Comment to the Complaint.21

In her Responsive Comment dated 07 June 2019,22 CVF: 1) denied

the allegation that she obtained ECV’s Marriage Certificate, or that
she made any processing in relation to said Marriage Certificate;23
2) claimed that ECV has long harassed CVF and her family, which
led the latter to file the DepEd Complaint for Misconduct, docketed
as Admin Case No. 10-18-027;24 and 3) raised the defense that the
Complaint should be dismissed outright for being filed beyond the
reglementary period under Section 4(c), Rule II,25 and Section 12 (b),
(c), and (d), Rule III,26 of NPC Circular No. 16-04 (2016 NPC Rules of
Procedure).

ECV filed a Comment and Opposition dated 25 November 2019.27

She reiterated the contents anchoring her complaint,28 narrated
various cases between the parties,29 and alleged that the complaint

18
Supplemental Complaint Affidavit dated 07 November 2018 ECV, at pages 1-2.
19
Order dated 13 April 2019, at page 3.
20
Manifestation of Compliance dated 07 June 2019 of CVF.
21
Id., at page 1.
22
Responsive Comment dated 07 June 2019 of CVF.
23
Id., ¶¶ 1-4, at pages 3-4.
24
Id., ¶¶ 5-6, at page 4.
25
Id., ¶9, at page 5.
26
Id., ¶11, at pages 5-6.
27
Comment and Opposition dated 25 November 2019 of ECV.
28
Id., ¶¶ 1-16, at pages 1-3.

172 THE 2022 COMPENDIUM OF NPC ISSUANCES

before the Commission was timely filed.30

In an Order dated 16 September 2021, the CID ordered the DepEd to

submit a certified true copy of the case file for the DepEd Complaint
docketed as Admin Case No. 10-18-XXX.31

In a Compliance dated 22 September 2021, the DepEd submitted

certified true copies of various documents constituting the case file
of the DepEd Complaint.32

On 04 January 2022, the CID acknowledged receipt of the case

files.33 In relation to the Marriage Contract of RV and ECV (herein
Complainant), the CID asked for confirmation whether the said
document was originally filed by CVF, or the circumstance of how
the document formed part of the case file.34

In a Certification dated 12 January 2022, the DepEd certified “that

a photocopy of the Marriage Contract between RV and ECV dated
July 10, 1987, was attached, and included by CF when she filed
the complaint against ECV before the Department of Education,
Regional Office 10.”35

Issues

I. Whether the Complaint should be dismissed for being filed beyond

the reglementary period.
II. Whether Respondent violated Section 25(b) of the DPA.

Discussion

The Commission dismisses the Complaint for lack of merit.

I. The Commission exercises its

authority to resolve the case on the
merits.

29
Id., at pages 4-9.
30
Id., at page 10.
31
Order dated 16 September 2021, at page 1.
32
Compliance dated 22 September 2021 of the Department of Education- Region X, Northern Mindanao.
33
Order dated 04 January 202[2], at page 1.
34
Id.
35
Certification dated 12 January 2022 of the Department of Education- Region X, Northern Mindanao.

ADVISORY OPINION NO. 202-026 173

ECV filed her complaint against CVF on 23 July 2018.36 The first
event to have allegedly violated her privacy rights happened on 30
November 2017, when CVF stated that she obtained ECV’s Marriage
Contract from the NSO.37 The second relevant event was narrated
in her Supplemental Affidavit dated 07 November 2018, when
she stated that CVF attached her Marriage Contract in the DepEd
Complaint.38

NPC Circular No. 16-04, or the 2016 NPC Rules of Procedure, was the
applicable procedural rules at the time of the filing of the complaint.
Section 12(c) of the NPC Circular No. 16-04 allows for the outright
dismissal of a complaint when it “is filed beyond the period for
filing.”39

Further, this Commission refers to the last paragraph of the

aforementioned Circular, viz:

SECTION 4. Exhaustion of remedies. – No complaint shall be entertained

unless:
a. the complainant has informed, in writing, the personal information
controller or concerned entity of the privacy violation or personal data
breach to allow for appropriate action on the same;

b. the personal information controller or concerned entity did not take

timely or appropriate action on the claimed privacy violation or personal
data breach, or there is no response from the personal information
controller within fifteen (15) days from receipt of information from the
complaint;

c. and the complaint is filed within six (6) months from the occurrence
of the claimed privacy violation or personal data breach, or thirty (30)
days from the last communiqué with the personal information controller
or concerned entity, whichever is earlier.

36
Complaints-Assisted Form dated 23 July 2018 of ECV.
37
Id., at pages 2-3.
38
Supplemental Complaint Affidavit dated 07 November 2018 of ECV, ¶11, at page 2.
39
National Privacy Commission, Rules of Procedure, NPC Circular No. 16-04, §12(c) (15 December 2016) (NPC Circular
16-04).

174 THE 2022 COMPENDIUM OF NPC ISSUANCES

 The failure to comply with the requirements of this Section shall cause the
matter to be evaluated as a request to the National Privacy Commission for
an advisory opinion, and for the National Privacy Commission to take such
further action, as necessary. The National Privacy Commission may waive
any or all of the requirements of this Section, at its discretion, upon good
cause shown, or if the complaint involves a serious violation or breach of
the Data Privacy Act, taking into account the risk of harm to the affected
data subject.40 (Emphasis supplied)

On its face, the complaint was filed beyond the six-month period,
counted from November 2017. Nevertheless, the last paragraph of
Section 4 of the 2016 Rules of Procedure allows the Commission to
“waive any or all of the requirements of this Section, at its discretion,
upon good cause shown, or if the complaint involves a serious
violation or breach of the Data Privacy Act, taking into account the
risk of harm to the affected data subject.”41

The Commission exercises its authority to waive the requirement

under Section 4(c) of the 2016 Rules of Procedure. ECV’s allegations,
if substantially proven, may lead the Commission to conclude that
there was a serious violation of the DPA. ECV may also have been
seriously harmed due to the processing of her Marriage Contract,
which was exposed to her employer, the DepEd.

Thus, the Commission finds it appropriate to exercise its authority to

resolve the case on the merits.

II. CVF cannot be held liable for the

violation of Section 25(b) or
Unauthorized Processing of Sensitive
Personal Information.

40 Id., § 4.
41 Id.

ADVISORY OPINION NO. 202-026 175

The controversy essentially revolves around the processing of ECV’s
Marriage Contract.

The DPA defines processing as “any operation or any set of

operations performed upon personal information including, but not
limited to, the retrieval…storage, [and] use…of data.”42

ECV narrated that on 30 November 2017, CVF said that she was able
to obtain ECV’s Marriage Contract from the NSO.43 The Marriage
Contract was later attached by ECV to the DepEd Complaint.44

CVF denies these allegations. She reasons that, as stated by ECV

herself, she would have no authority to obtain the document from
the PSA, and “[t]hus, without such authority, it is legally impossible
for the PSA to release the Complainant’s Marriage Certificate or any
personal information to Respondent.”45

There are two instances of processing of personal data involved

in this case: 1) the acquisition of ECV’s Marriage Certificate; and 2)
the submission of her Marriage Certificate as part of the DepEd
Complaint.

a. There is no substantial evidence to show that the acquisition of

ECV’s Marriage Certificate was unauthorized.

In relation to the first processing, CVF “vehemently denies” that

she obtained the Marriage Certificate of ECV and her husband.46
However, it is not disputed that CVF, as the complainant in the DepEd
Complaint, submitted ECV’s Marriage Certificate to the government
agency. This was affirmed by the DepEd itself when it certified
that the Marriage Certificate “was attached, and included by CVF
when she filed the complaint against ECV before the Department of
Education, Regional Office 10.”47

42
Data Privacy Act of 2012, § 3(j).
43
Supplemental Complaint Affidavit dated 07 November 2018 of ECV, ¶7, at page 1.
44
Id., ¶11, at page 2.
45
Responsive Comment dated 07 June 2019 of CVF, ¶3, at pages 1-2.
46
Id., ¶ 1, at page 1.
47
Certification dated 12 January 2022 of the Department of Education- Region X, Northern Mindanao.

176 THE 2022 COMPENDIUM OF NPC ISSUANCES

Thus, it can be reasonably concluded that CVF was able to obtain
ECV’s Marriage Certificate from the fact that she submitted it to the
DepEd.

Under PSA Memorandum Circular No. 2017-09, dated 19 June 2017

(PSA Circular), the PSA enumerated the parties who may request
an original and certified true copy of a Certificate of Live Birth,
Certificate of Marriage, and Certificate of Death.48 Pursuant to the
Circular, the PSA may only release the Certificates to the following
persons or entities:

1. The owner himself or through a duly authorized representative;

2. His/her spouse, parent, direct descendants, guardian or institution

legally in-charge of him/her, if minor;

3. The court or proper public official whenever absolutely necessary in

administrative, judicial or other official proceedings to determine the
identity of a person;

4. In case of the person’s death, the nearest of kin.49

The evidence on record does not contain adequate information on

when CVF actually acquired the Marriage Certificate. ECV, in her
sworn statements, merely recounts CVF’s alleged utterances of
securing ECV’s Marriage Certificate.50 ECV only provided her own
narrations, without any sufficient corroborating or equivalent proof,
that establishes the period of CVF’s acquisition of the document.
If CVF obtained the Marriage Certificate after the issuance of the
PSA Circular, there would be reasonable grounds for unauthorized
processing since she is not one of the entities authorized to receive
the Marriage Certificate.

48 Philippine Statistics Authority, Issuance of Original and Certified True Copy of Certificate of Live Birth, Certificate of
Marriage and Certificate of Death, Memorandum Circular No. 2017-09, ¶ 2 (19 June 2017).
49 Id.
50 See Complaints-Assisted Form dated 23 July 2018 of ECV, at pages 2-3; Supplemental Complaint Affidavit dated
07 November 2018 of ECV, ¶¶ 5 & 8, at pages 1-2; PNP Incident Record Form Entry No. XXX-2 dated 04 December
2017, at page 2.

ADVISORY OPINION NO. 202-026 177

Since there is no substantial proof to show that CVF obtained the
Marriage Certificate in violation of the PSA Circular, the Commission
cannot conclude that CVF committed unauthorized processing in
relation to the acquisition of the Marriage Certificate.

b. The use of ECV’s Marriage

Certificate falls within processing that
is necessary for the establishment,
exercise or defense of legal claims.
There is no violation of Section 25(b) of
the DPA.

The second processing relates to CVF’s submission of ECV’s

Marriage Certificate to the DepEd as attachment to her complaint.
To reiterate, DepEd certified that ECV’s Marriage Contract “was
attached, and included by CVF when she filed the complaint against
ECV before the Department of Education, Regional Office 10.”51

In ECV’s Supplemental Affidavit, she prays that CVF be held liable for
Section 25 of the DPA.52 This provision penalizes the unauthorized
processing of personal information under Section 25(a), and sensitive
personal information under Section 25(b).53
The Commission finds it relevant to focus on Section 25(b) of the
DPA. The unauthorized processing of sensitive personal information
has three (3) elements, namely:
1. The accused processed information of the data subject;
2. The information processed is classified as sensitive personal
information; and
3. The processing was done without the consent of the data subject
or without authority under the DPA or any existing law.54

The Commission finds the first element present. There is substantial

evidence to show that CVF submitted ECV’s Marriage Contract for
the DepEd Complaint. As discussed, the DepEd issued a certification

51Certification dated 12 January 2022 of the Department of Education- Region X, Northern Mindanao.
52 Supplemental Complaint Affidavit dated 07 November 2018 of ECV, ¶ 22, at page 3.
53 Data Privacy Act of 2012, § 25.
54 NPC 18-077, Decision dated 15 April 2021, at page 6.

178 THE 2022 COMPENDIUM OF NPC ISSUANCES

stating that CVF attached and included the Marriage Contract for
her DepEd Complaint against ECV.55 These actions squarely fall
within the definition of processing, which includes the use of a data
subject’s personal information.56

The second element of Section 25(b) of the DPA is also present.

Under the DPA, sensitive personal information includes a person’s
marital race, status, and age.57 ECV’s Marriage Contract contains
these pieces of information.

The last element of the crime requires that the processing be

without the consent of the data subject or without authority under
the DPA or any existing law.58 This element, however, is absent. The
Commission finds that the processing of ECV’s sensitive personal
information was anchored on Section 13(f) of the DPA, which
provides:

SEC. 13. Sensitive Personal Information and Privileged Information. – The

processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases:

xxx

(f) The processing concerns such personal information as is necessary

for the protection of lawful rights and interests of natural or legal persons
in court proceedings, or the establishment, exercise or defense of legal
claims, or when provided to government or public authority.59 (Emphasis
supplied)

There are three (3) instances wherein Section 13(f) of the DPA is
applicable: “(a) the proceeding is necessary for the protection of
lawful rights and interests of natural persons in court proceedings;
(b) the processing is necessary for the establishment, exercise or
defense of legal claims; or (c) the processing concerns personal

55
Certification dated 12 January 2022 of the Department of Education- Region X, Northern Mindanao.
56
See Data Privacy Act of 2012, § 3j.
57
Id, § 3(l).
58
NPC 18-077, Decision dated 15 April 2021, at page 6.
59
Data Privacy Act of 2012, § 13(f).

ADVISORY OPINION NO. 202-026 179

information that is provided to government or public authority.”60

CVF’s submission of ECV’s Marriage Contract to the DepEd falls

within processing that is necessary for the “establishment, exercise
or defense of legal claims.”61

As stated in EA and TA vs. EJ, EE and HC:

The DPA should not be seen as curtailing the practice of law in

litigation. Considering that it is almost impossible for Congress to
determine beforehand what specific data is “necessary” or may or
may not be collected by lawyers for purposes of building a case,
applying the qualifier “necessary” to the second instance in Section
13(f) therefore, serves to limit the potentially broad concept of
“establishment of legal claims” consistent with the general principles
of legitimate purpose and proportionality.62

In her DepEd Complaint, CVF alleged that ECV made malicious

utterances against her and her family.63 CVF also asked the DepEd “to
conduct an investigation and consequently penalize the respondent
for such misconduct.”64

CVF submitted various pieces of evidence to support her DepEd

Complaint, namely: 1) affidavits from her witnesses;65 2) Tax
Declarations of Real Property;66 3) Joint Special Power of Attorney;67
4) Marriage Certificate of RV and EI;68 5) Marriage Certificate of RV
and ECV;69 and 6) pictures of CVF’s window showing the alleged
actions done by ECV.70

60
EA and TA vs. EJ, EE and HC, NPC 17-018, Decision dated 15 July 2019, at page 8.
61
Data Privacy Act of 2012, §13(f).
62
EA and TA vs. EJ, EE and HC, NPC 17-018, Decision dated 15 July 2019, at pages 8-9.
63
Complaint dated 09 May 2018 of CVF, ¶¶ 5-9, at pages 2-3.
64
Id., ¶11, at page 3.
65
Id., Annex “A” – Affidavit of RBF, and unmarked Annexes- Affidavits of CF, Gilbert Sanchez Jr., and HOR, all dated
20 April 2018.
66
Id., unmarked Annexes – Tax Declaration of Property No. 14-XXX-XXXX, and Tax Declaration of Property No.
02-XXX-XXXX.
67
Id., unmarked Annex – Joint Special Power of Attorney.
68
Id., unmarked Annex – Marriage Certificate of RV and EI.
69
Id., unmarked Annex – Marriage Certificate of RV and ECV.
70
Id., unmarked Annex – various pictures.

180 THE 2022 COMPENDIUM OF NPC ISSUANCES

To be clear, the Commission is not the proper body to determine
the merits of the legal claims that are sought to be established,
exercised, or defended by parties, pursuant to Section 13(f) of the
DPA.71 It cannot rule on whether the Marriage Contract helps or
detracts from CVF’s complaint. Rather, the Commission’s task is to
determine whether the processing of personal information complies
with the DPA, and other related issuances of the Commission.

Further, in relation to compliance with the DPA, the Commission

emphasizes that though there may be lawful basis in processing
personal or sensitive personal information, such as anchoring the
processing in Section 13(f) of the DPA, the said processing must still
adhere and be consistent with Section 11 of the DPA, which provides
for the General Data Privacy Principles of transparency, legitimate
purpose, and proportionality.72

The DepEd Complaint relates to ECV’s misconduct.73 CVF

contextualizes the “strained relationship” between the parties as a
result of a boundary dispute,74 and ECV’s various gossips that tainted
CVF and her family’s reputation.75 She argues that “[a] teacher’s
duty is not limited to being an agent of knowledge but, above all
else, an agent of morals… A teacher, both in her official and personal
conduct, must display exemplary behavior.”76

Given the context and allegations, the Commission finds that CVF’s
submission of ECV’s Marriage Certificate was necessary for the
establishment, exercise or defense of her legal claims against ECV.
It should be emphasized that the processing of ECV’s Marriage
Certificate was not done in a vacuum but was in relation to the
DepEd Complaint in order for CVF to support her allegations and
to provide better context. In its Decision dated 23 April 2021, the
DepEd used the “facts established and the evidence presented [to]
support the findings of ECV’s guilt”.77 The processing, given the
surrounding context,

71
See EA and TA vs. EJ, EE and HC, NPC 17-018, Resolution dated 05 November 2020, at page 3.
72
Data Privacy Act of 2012, § 11.
73
Complaint dated 09 May 2018 of CVF.
74
Id., ¶ 1, at page 1.
75
Id., ¶¶ 7-9, at pages 2-3.
76
Id., ¶ 13, at page 3.
77
Decision of the Department of Education- Region X, Northern Mindanao dated 23 April 2021, at page 3.

ADVISORY OPINION NO. 202-026 181

cannot be considered unlawful or illegal. It squarely falls within “the
establishment, exercise or defense of legal claims” under Section
13(f) of the DPA.

Additionally, the processing is valid since the sensitive personal

information was “provided to government or public authority.”78
Thenature of the information and the party’s purpose in providing it
to the public authority should be connected to the latter’s mandate
and in relation to the legal claims of the party.

As part of DepEd’s mandate, it is tasked to hear administrative

charges against public school teachers, especially when they
allegedly violate the Code of Professional Conduct for Teachers.79
Here, the processing was in the context of ECV’s position as a public
school teacher,80 and her alleged violations of specific provisions
of the “Philippine Code of Ethics for Professional Teachers”.81 The
processing of sensitive personal information, which was provided to
the DepEd for the necessary establishment of CVF’s legal claims,
falls within Section 13(f) of the DPA.

Moreover, ECV failed to provide substantial evidence that CVF

had no basis to process her Marriage Contract. The Commission
emphasizes that the data subject’s consent is not the only basis for
lawful processing of personal or sensitive personal information since
Sections 12 and 13 of the DPA provide for other lawful bases for
processing to be authorized.82 While ECV may not have consented
to the processing of her Marriage Contract, such act may still be
allowed if it is anchored on other bases provided in Section 13 of the
DPA.

The Commission finds that there was a valid basis for processing
ECV’s sensitive personal information through Section 13(f) of the
DPA. Consequently, CVF has not violated Section 25(b) of the law
since the processing was in relation to the establishment, exercise
or defense of legal claims, and provided to a government body.

78
Data Privacy Act of 2012, § 13(f).
79
See The Magna Carta for Public School Teachers, Republic Act No. 4670, §§ 7-9 (1966); Department of Education,
Revised Rules of Procedure of the Department of Education in Administrative Cases, DepEd Order No. 49, series of
2006, §§ 1, 8-10, 46 (12 December 2006).
80
Complaint dated 09 May 2018 of CVF, ¶ 2, at page 1.
81
Id., ¶¶ 14-15, at pages 3-4.
82
See Data Privacy Act of 2012, §§ 12 & 13.

182 THE 2022 COMPENDIUM OF NPC ISSUANCES

WHEREFORE, premises considered, the Complaint is hereby
DISMISSED for lack of merit.

SO ORDERED.

City of Pasay, Philippines.

17 March 2022.

Sgd.
JOHN HENRY D. NAGA
Privacy Commissioner

WE CONCUR:

Sgd.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

Sgd.
DUG CHRISTOPER B. MAH
Deputy Privacy Commissioner

Copy furnished:

ECV

Complainant

CVF

Respondent

MB
Counsel for Respondent

COMPLAINTS AND INVESTIGATION DIVISION

ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission

ADVISORY OPINION NO. 202-026 183

MLF,
Complainant,
-versus-

NPC 19-C-142
For: Violation of the Data Privacy Act of 2012

MYTAXI.PH CORPORATION
(GRAB PHILIPPINES),

Respondents.
x----------------------------------------------------x

DECISION

AGUIRRE, D.P.C.;

Before this Commission is a complaint filed by MLF against MyTaxi.

PH Corporation, doing business under the name of “Grab Philippines”
(Grab Philippines), for an alleged violation of Republic Act No. 10173
or the Data Privacy Act of 2012 (DPA).

Facts

MLF, in his Complaints-Assisted Form, claimed that Grab Philippines

committed violations of the DPA.1

On 6 February 2019, he booked a car ride from UP Town Center2

and was assigned to Grab driver ADB with Booking ID No. IOS-141-
99938-8-345.3 As stated by MLF:

Within the Grab System[,] my Name [and] Mobile Number is [sic] made
available to the driver. There is also an in[-]app chat function. Both Mobile
Number and Chat function are made available with my consent under their
terms and condition for the purpose of transacting a ride. So that driver
and rider can communicate to meet each other.4

1 Complaints-Assisted Form, 2 March 2019, at 1, in MLF v. MyTaxi.Ph Corporation, NPC Case No. 19- 142 (NPC 2019).
2 Id. at 4.
3 Id. at 2.

184 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
MSH vs RSF &TCC
Decision
Page 1 of 8

MSH,

NPC Case No. 18-142

Complainant,
-versus-

DECISION
NPC 18-142
For: Violation of the Data Privacy Act of 2012
BB, JA, AA
RSF & TCC,

Respondents.
x----------------------------------------------------x

DECISION

NAGA, P.C.;

Before this Commission is a Complaint filed by MSH (MSH) against

TCC (TCC), and its president, RSF (RSF) for the alleged violation of
Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA).

Facts

MSH filed a Complaint dated 25 September 2018 (Complaint) against

respondents due to the discrepancies in her Transcript of Records
(TOR), particularly the course and the Commission on Higher
Education (CHED) Special Order Number (S.O. No.) indicated in the
TOR. 1

MSH is a graduate of TCC, with a degree of Bachelor of Elementary

Education (BEE), based on CHED’s S.O. No. 50-140101-0126 s. 2008.2

From the records of the case, TCC issued two (2) TORs in the name
of MSM. In the first TOR, dated 23 May 2008, the course stated was
Bachelor of Secondary Education (BSE), instead of BEE. Meanwhile,
the CHED S.O. No. found in the “remarks” portion was CHED S.O.
No. 50-140102-0100 s. 2008.3 TCC issued a corrected TOR, dated

1
Complaint Assisted Form dated 25 September 2018 filed by Complainant MSH.
2
See Id; Transcript of Records dated 19 June 2018.
3
Transcript of Records dated 23 May 2008. Discrepancy underlined.

DECISION MSH VS TCC 185

 NPC 18-142
MSH vs RSF & TCC
Decision
Page 2 of 8

22 January 2018, which stated that MSH’s course was “Bachelor of

Elementary Education”, however, there was still an error in the CHED
S.O. number, by stating “CHED S.O. No. 50-140102-0126 s. 2008”.4

MSH alleged that due to these discrepancies, her employer, San

Francisco Parish School (SFPS), conducted a background check and
concluded that her credentials were fake, to her “grave shame and
public humiliation”.5 Further, she is asking for “monetary settlement”.6

The parties failed to reach an amicable settlement during the course

of the proceedings.7 Thus, the Commission, through the Complaints
and Investigation Division (CID), issued an Order dated 02 September
2021, directing the respondents to file a verified comment within
fifteen (15) days from receipt of the Order.8

The respondents subsequently filed a Verified Comment dated 22

September 2021 (Verified Comment).9 In the Verified Comment, the
respondents prayed for the dismissal of the Complaint for lack of
cause of action and utter lack of merit.10

The respondents reasoned that upon learning of the discrepancies

from MSH, the Registrar undertook the following actions: 1) an
Affidavit of Discrepancy dated 18 June 2018 stating the correct
information, and explaining that the discrepancies were “obviously
caused by typographical error or pure excusable inadvertence xxx”;
11
2) a Certification dated 08 May 2018 stating the correct information,
and further certifying that MSH was of “good moral character and
has shown exemplary conduct during her stay in this institution”;12
and 3) another Certification dated 08 May 2018, explaining that the
discrepancies were “misprinted”, and attaching the corrected TOR
and certified true copy of the diploma.13

Further, the respondents explained that they did not issue the

4
Transcript of Records dated 22 January 2018. Discrepancy underlined.
5
Complaint Assisted Form dated 25 September 2018 filed by Complainant MSH, at page 2.
6
Id, at page 3.
7
Undated Letter of Complainant MSH, transmitted through e-mail, on 20 November 2018.
8
Order (To File Verified Comment) dated 02 September 2021.
9
Verified Comment dated 22 September 2021 filed by RSF and TCC.
10
Id, at page 3.
11
Id, at unmarked Annexes.
12
Id.
13
Id.

186 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
MSH vs RSF &TCC
Decision
Page 3 of 8

incorrect TORs to SFPS, even though the latter requested the

TORs as part of the background check, since there was no written
authorization from MSH. 14 Thus, there was no improper disclosure.

Issue

Whether the respondents violated the Data Privacy Act of 2012.

Discussion

The Commission deems it necessary to summarize the undisputed

facts for a proper discussion of the case.

From the records, it is clear that there were two (2) TORs containing
discrepancies, namely: the stated course and the CHED S.O.
number of MSH.15 These discrepancies were subsequently rectified
through an Affidavit of Discrepancy and two Certifications, both
dated 08 May 2018, and both signed by the Registrar, providing the
correct details and explaining the reasons for the discrepancies.16
Nevertheless, due to the incorrect TORs, MSH’s employer, SFPS,
conducted a background check and concluded that her credentials
were fake.17

This Commission finds it undisputed that TCC is a personal information

controller (PIC), since it “controls the collection, holding, processing
or use of personal information.”18 MSH is the data subject for she
is “an individual whose personal information is processed.”19 The
personal information involved are the course and CHED S.O. number
given that the data “when put together with other information would
directly and certainly identify an individual”.20 Here, TCC processed
the personal information of MSH (course and CHED S.O. No) for the

14
Id, at 2.
15
See Transcript of Record dated 23 May 2008, and Transcript of Record dated 22 January 2018.
16
Verified Comment dated 22 September 2021 filed by RSF and TCC.
17
Complaint Assisted Form dated 25 September 2018 filed by Complainant MSH.
18
Republic Act No. 10173, or the Data Privacy Act of 2012, Section 3(h).
19
Republic Act No. 10173, or the Data Privacy Act of 2012, Section 3(c).
20
Republic Act No. 10173, or the Data Privacy Act of 2012, Section 3(g).

DECISION MSH VS TCC 187

 NPC 18-142
MSH vs RSF & TCC
Decision
Page 4 of 8

issuance of her TOR.

While TCC endeavored to rectify the discrepancies of MSH’s personal
information, the Commission finds that the respondent should
indemnify MSH for the damages sustained due to the inaccurate
and false information found in her previous TORs.

A PIC is obligated to ensure compliance, among others, with Section

11 of the DPA, providing for the General Data Privacy Principles.
Particularly, Section 11(c) states:

SEC. 11. General Data Privacy Principles. – The processing of personal

information shall be allowed, subject to compliance with the requirements
of this Act and other laws allowing disclosure of information to the public
and adherence to the principles of transparency, legitimate purpose and
proportionality.

Personal information must be:

xxx

(c) Accurate, relevant and, where necessary for purposes for which it
is to be used the processing of personal information, kept up to date;
inaccurate or incomplete data must be rectified, supplemented, destroyed
or their further processing restricted; xxx21 (Emphasis supplied)

In this regard,Section 19(c) of the Implementing Rules and Regulations

of the DPA (IRR) requires PICs to ensure data quality, to quote:

SECTION 19. General Principles in Collection, Processing and Retention. — The

processing of personal data shall adhere to the following general principles in
the collection, processing, and retention of personal data:

xxx

c. Processing should ensure data quality.

1. Personal data should be accurate and where necessary for declared,

specified and legitimate purpose, kept up to date.

2. Inaccurate or incomplete data must be rectified, supplemented, destroyed

or their further processing restricted.22 (Emphases supplied)

Meanwhile, a data subject has the right to rectification under Section

21
Republic Act No. 10173, or the Data Privacy Act of 2012,, Section 11(c).

188 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
MSH vs RSF &TCC
Decision
Page 5 of 8

34 of the IRR:

SECTION 34. Rights of the Data Subject. — The data subject is

entitled to the following rights:

xxx

d. Right to rectification. The data subject has the right to dispute

the inaccuracy or error in the personal data and have the personal
information controller correct it immediately and accordingly, unless the
request is vexatious or otherwise unreasonable. If the personal data
has been corrected, the personal information controller shall ensure
the accessibility of both the new and the retracted information and the
simultaneous receipt of the new and the retracted information by the
intended recipients thereof: Provided, That recipients or third parties who
have previously received such processed personal data shall be informed
of its inaccuracy and its rectification, upon reasonable request of the data
subject.23 (Emphasis supplied)

Separate from the data subject’s right to rectification is the right of

a data subject to damages anchored on Section 16(f) of the DPA,
which provides:

SEC. 16. Rights of the Data Subject. – The data subject is entitled to:

xxx

(f) Be indemnified for any damages sustained due to such inaccurate,

incomplete, outdated, false, unlawfully obtained or unauthorized use of
personal information.24

Based on Section 11(c) of the DPA, and Section 19(d) of the IRR of the
DPA, the respondent, being a PIC, had the obligation to ensure that
MSH’s personal information was accurate and up to date. Yet, the
fact that TCC separately issued two (2) inaccurate TORs reveals a
clear lapse in ensuring diligent compliance with the DPA. MSH acted
in the exercise of her right to rectification due to the inaccurate and
false information stated in the two (2) TORs.

The Commission notes that TCC subsequently undertook to

correct and update the TORs.25 Nevertheless, the issuance of

22
Implementing Rules and Regulations of Republic Act No. 10173, Section 19(c).
23
Implementing Rules and Regulations of Republic Act No. 10173, Section 34(d).
24
Republic Act No. 10173, or the Data Privacy Act of 2012,, Section 16(f).

DECISION MSH VS TCC 189

 NPC 18-142
MSH vs RSF & TCC
Decision
Page 6 of 8

inaccurate information, in itself, caused damage to MSH. Due to the

discrepancies, SFPS found it necessary to conduct a background
check to verify the authenticity of the credentials and integrity of
MSH.26 This would have been avoided if TCC had more stringent
measures in place to ensure data quality.

Section 16(f) of the DPA allows for indemnification in favor of the

data subject when it is shown that there were damages sustained,
and the cause of the injury was due to “inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal
information.”27 As discussed, the Commission finds that damages
were sustained by MSH, despite TCC’s subsequent rectification of
the inaccurate personal information. Thus, Section 16(f) of the DPA
is applicable.

The Commission finds that Section 16(f) of the DPA is applicable

since: 1) there was inaccurate and false information contained in two
(2) TORs issued by TCC; and 2) there was damage because these
discrepancies cast doubt on MSH’s credentials and employment.
TCC’s subsequent rectification of the TORs does not prohibit
indemnification in favor of MSH.

As to the type and amount of damages to be awarded, it is appropriate

to award MSH nominal damages. The award for nominal damages
is proper when “a legal right is technically violated and must be
vindicated against an invasion that has produced no actual present
loss of any kind or where there has been a breach of contract and
no substantial injury or actual damages whatsoever have been or
can be shown.”28

It has been ruled that “[t]he assessment of nominal damages is left to

the discretion of the court/tribunal, according to the circumstances
of the case.”29

25
See Verified Comment dated 22 September 2021 filed by RSF and TCC.
26
See Complaint Assisted Form dated 25 September 2018 filed by Complainant MSH, at page 2; and Verified
Comment dated 22 September 2021 filed by RSF and TCC, at page 2.
27
Republic Act No. 10173, or the Data Privacy Act of 2021, Section 16(f).
28
MCC Industrial Sales Corp. v. Ssangyong Corp., G.R. No. 170633, 17 October 2007.

190 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
MSH vs RSF &TCC
Decision
Page 7 of 8

Taking into consideration the circumstances of the case, the

Commission finds that damages in the amount of ten thousand
pesos (Php 10,000.00) is proper.
While MSH impleaded RSF, TCC’s president, as a respondent in the
case, only TCC is the proper party to indemnify her given that TCC
is the PIC. Further, MSH has not proven that RSF had any intentional
or direct involvement with the discrepancies.

The Commission notes that TCC subsequently rectified the

discrepancies found in the two (2) separate TORs, thus honoring her
right to rectification. Nevertheless, the issuance of the incorrect TORs
affected MSH’s employment, and led to her employer conducting
background checks on her credentials. Worse, it concluded that her
credentials were fake. This would have all been avoided if TCC was
zealous in ensuring data quality. It committed lapses in this obligation
by issuing two incorrect TORs. Hence, the propriety of the award.

WHEREFORE, premises considered, this Commission ORDERS

Respondent, TCC, to:

1. INDEMNIFY the Complainant, MSH, in the amount of ten thousand

pesos (Php 10,000.00) for the damages sustained due to
Respondent’s issuance of inaccurate and false information,
pursuant to Section 16(f) of the Data Privacy Act of 2012; and

2. SUBMIT proof of compliance by Respondent with the

abovementioned award within fifteen (15) days upon receipt
of this Decision.

SO ORDERED.

City of Pasay, Philippines.

03 February 2022.

Sgd.

29
EA v. Q2 88,Inc., NPC 18-103, 23 July 2020, at page 7.

DECISION MSH VS TCC 191

 NPC 18-142
MSH vs RSF & TCC
Decision
Page 8 of 8

JOHN HENRY D. NAGA

Privacy Commissioner

I CONCUR:

Sgd.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner
Copy furnished:

MSH
Complainant

RSF and TCC

Respondents

COMPLAINTS AND INVESTIGATION DIVISION

ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission

192 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 19-030
CL vs DDZ and DM vs DDZ
Decision
Page 1 of 10

CL,

NPC Case No. 19-030

Complainant,

DECISION
-versus- NPC No. 19-030
(formerly CID Case No. 19-A-030)
For: Violation of the Data Privacy Act of 2012

CL, DDZ,
Respondents.
x----------------------------------------------------x

DM,
Complainant,
-versus- NPC No. 19-132
(formerly CID Case No. 19-B-132)
For: Violation of the Data Privacy Act of 2012

DDZ,
Respondents.
x----------------------------------------------------x

DECISION

NAGA, P.C.;

Before this Commission are the complaints separately filed by Mr.

CL and Mr. DM against Mr. DDZ for alleged violations of the Data
Privacy Act (DPA) of 2012.

Facts

CL, DM, and DDZ were personnel of MVP, a company located at

Clark Freeport Zone. On 22 November 2018, DDZ was terminated
by MVP as Accounts Executive Officer.

On 28 November 2018, DDZ filed a case before the Office of the City
Prosecutor of Mabalacat, Pampanga against DM, a member of the

DECISION CL AND DM VS DDZ 193

 NPC 18-142
CL vs DDZ and DM vs DDZ
Decision
Page 2 of 10

MVP Board of Directors, and IP, an Executive Assistant to the CEO,

for theft.

On 28 December 2018, DDZ moved to amend his original complaint

to include CL and alleged grave coercion and light threats. Attached
to DDZ’s complaint-affidavit to the Office of the City Prosecutor is a
letter to the Department of Labor and Employment (DOLE) attaching
copies of CL’s and DM’S passports as evidence.1 As indicated in his
complaint-affidavit, DDZ also sent copies of the passports in his
letters to the Clark Development Corporation (CDC) and the Bureau
of Immigration (BI).

On 16 and 25 January 2019, CL and DM filed a complaint before

the Commission, respectively. Both Complaints alleged that DDZ
violated the DPA for revealing their passport without their consent,
and that DDZ, may have broken into MVP’s database where the
scanned copies of the passports are stored. Complainants also
stated that the attachment of their passports in the complaint filed
before the Office of the Prosecutor, DOLE, CDC, and BI was for the
purpose of harassing the Complainants.2

CL prayed that DDZ be held liable for the violations of Section

29 of the DPA. He also prayed for DDZ to be deported for the
aforementioned violation. While DM prayed that DDZ be held liable
for the violation of Sections 29 and 31 of the DPA.

DDZ filed an Answer to CL dated 07 June 2019 and to DM dated 16

August 2019. In his separate Answers, he argued that the Complaints
before the NPC is a form of retaliation from Complainants since
they are in danger of being deported for working in the Philippines
without the necessary working VISA.

He also argued that the Commission should not have entertained the
complaints for failing to exhaust all remedies as provided in Section
4 of the NPC Circular No. 16-04. Further he stated that, assuming
that the complaint is valid, the passports are excluded from the
coverage of Section 4(e) of the DPA and that the processing of such
information is permitted under Section 12 (e) and (f) and 13 (f) of the
DPA.3 In addition, he stated that he was able to obtain the passports
upon legitimate request from SM (former Operations Manager) and

1
Records (NPC Case No. 19-030) at 1 to 31, and Records (NPC Case No. 19-132) at 1-19.
2
Records (NPC Case No. 19-030) at 1 to 9, and Records (NPC Case No. 19-132) at 1 to 6.
3
Records (NPC Case no. 19-030) at p. 89 to 90, and Records (NPC Case no. 19-132) at p. 45 to 46 and 78.

194 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
CL vs DDZ and DM vs DDZ
Decision
Page 3 of 10

DMV (former President and CEO), fully disclosing the purpose of

where the passports are going to be used.4

On 01 July 2019 and 12 September 2019, CL and DM filed their Reply,

respectively.5 Complainants maintain that DDZ failed to explain how
he was able to obtain his sensitive personal information and that
DDZ illegally obtained their passports and used it without their
consent. They also argued that the use of their passports is not
covered in the exceptions mentioned in Section 4(e) and Section
12(e) and (f) of the DPA. Further, CL reiterated his arguments in his
previous complaint that DDZ has no authority/access to his sensitive
personal information and therefore, has violated the DPA.

In his Rejoinder6, DDZ reiterated his arguments in his Answer. He

also stated that he was dismissed on November 27, 2018, and his
letter to DOLE was received on December 18, 2018 which shows
that he can no way enter the premises of MVP earlier than the date
of his dismissal. He then prays for the Complaints to be dismissed
for failure to exhaust remedies under Section 4 of the DPA and for
the lack of merit.

Issues

1. Whether the Complaints are exempted from Section 4 of the NPC

Circular No. 16-04.
2. Whether the Respondent violated the Data Privacy Act.
3. Whether Respondent committed unauthorized access or
intentional breach in processing Complainants’ passports.

Discussion
The Complaints for the violation of the DPA lack merit.

I. The Complaints are exempted from

Section 4 of the NPC Circular 16-04

4
Id. at p. 51 to 58, and p. 41 to 49.
5
Id. at p. 71 to 78, and p. 62 to 70.
6
Records (NPC Case no. 19-030) at 88 to 93, and Records (NPC Case no. 19-132) at 72 to 79.

DECISION CL AND DM VS DDZ 195

 NPC 18-142
CL vs DDZ and DM vs DDZ
Decision
Page 4 of 10

In his Answer and Rejoinder, Respondent argues that the Commission

should not have entertained the Complaints for failing to exhaust all
remedies under Section 4 of NPC Circular No. 16-04. This Commission
refers to the last paragraph of the aforementioned Circular, viz:

SECTION 4. Exhaustion of remedies. – No complaint shall be entertained

unless:

a. the complainant has informed, in writing, the personal information

controller or concerned entity of the privacy violation or personal data
breach to allow for appropriate action on the same;

b. the personal information controller or concerned entity did not take

timely or appropriate action on the claimed privacy violation or personal
data breach, or there is no response from the personal information
controller within fifteen (15) days from receipt of information from the
complaint ;

c. and the complaint is filed within six (6) months from the occurrence
of the claimed privacy violation or personal data breach, or thirty
(30) days from the last communiqué with the personal information
controller or concerned entity, whichever is earlier.

The failure to comply with the requirements of this Section shall

cause the matter to be evaluated as a request to the National Privacy
Commission for an advisory opinion, and for the National Privacy
Commission to take such further action, as necessary. The National
Privacy Commission may waive any or all of the requirements of this
Section, at its discretion, upon good cause shown, or if the complaint
involves a serious violation or breach of the Data Privacy Act,
taking into account the risk of harm to the affected data subject.7
(Emphasis supplied)

Further, Rule II, Section 2 of the NPC Circular No. 2021-01 provides:
The NPC may waive any or all of the requirements of this Section
at its discretion upon (a) good cause shown, properly alleged and
proved by the complainant; or (b) if the allegations in the complaint
involve a serious violation or breach of the Data Privacy Act of 2012,
taking into account the risk of harm to the affected data subject,
including but not limited to:

i. when there is grave and irreparable damage which can only be

prevented or mitigated by action of the NPC;
ii. when the respondent cannot provide any plain, speedy or adequate
remedy to the alleged violation;
iii. or the action of the respondent is patently illegal. (Emphasis
supplied)

7 Section 4 of NPC Circular 16-04

196 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
CL vs DDZ and DM vs DDZ
Decision
Page 5 of 10

This Commission recognizes that it is afforded with a broad range

of powers to implement its mandate such as the power to waive
the requirements of its Rules of Procedure. However, there are two
alternate factors to be taken into account should it decide to waive
the requirements of the aforementioned section: (a) good cause
shown, properly alleged and proved by the complainant; or (b) if the
complaint involves a serious violation or breach of the DPA, taking
into account the risk of harm to affected data subjects.

Moreover, this Commission takes this opportunity to remind

its previous ruling in NPC Case No. 19-528, which states that the
purpose of Section 4 of NPC Circular No. 16-04 is to prevent the
unduly clogging of the Commission’s docket and avoid instances
wherein a case shall be dismissed despite the good cause shown by
the Complainant or the case involves a serious violation of the DPA.
This Commission also reminds that the Rule is meant to prohibit
instances of deciding cases based on mere technicalities.8

Additionally, it shall be emphasized that the personal information

of Complainants were already processed by the Respondent
when he requested and accessed the passports and included it to
his Complaint-Affidavit. In this case, the Rule can no longer apply
given that the Respondent cannot take any appropriate action to
remedy the situation since the passports were already included in
the Complaint-Affidavit filed before the Office of the Prosecutor and
cannot be withdrawn.

The Commission also finds that the Complaints involve a possible

violation of the DPA given the alleged unauthorized processing
of passports by the Respondent since the passports processed
contain sensitive personal information, and the processing of such
information is generally prohibited subject only to a few exceptions.
In addition, the processing of sensitive personal information involved
may pose a risk of serious harm to the affected data subjects since
the personal information involved may be used to enable identity
fraud, theft, crimes, and other harm.

Further, as the Complainants allege the violation of Criteria for Lawful

Processing of Personal Information, Sensitive Personal Information,
and Unauthorized Access or Intentional Breach9 due to the processing

8
Resolution, NPC Case No. 19-528. Dated 23 February 2021.

DECISION CL AND DM VS DDZ 197

 NPC 18-142
CL vs DDZ and DM vs DDZ
Decision
Page 6 of 10

of their passports without their consent and unauthorized access to

their personal information, this Commission then finds that it is but
proper to waive the requirement under Section 4 of NPC Circular
No. 16-04. This is in consideration of the possible risk of harm to
the affected data subjects and that the Complaints involve a serious
violation or breach of the DPA.

II. Respondent’s processing of passports

is permissible under the Data Privacy Act of 2012

Respondent stated that he was able to obtain a copy of CL and DM’s

passports through a legitimate request from the Human Resources
(HR) of MVP, SM (former Operations Manager), and DMV (former
President and CEO) wherein he fully disclosed the purpose of his
request of attaching the information in his complaint-affidavit. In his
Rejoinder to CL’s Reply, Respondent stated:

11. Respondent upon his legitimate request with the HR of MVP, with full
complete statements of the purpose for which such Information was
needed, was provided with the copy of complainant’s passport. There
is no way can the respondent enter the premises of MVP since he was
dismissed, albeit illegally, from his employment and prevented to enter the
MVP;10

In his Answer to DM’s Complaint, which he then also reiterated in his

Rejoinder for this case, Respondent stated:

20. Respondent, upon his legitimate request with the employees of MVP,
particularly SM, the former Operations Manager, and DMV, the former
President and CEO, with full complete statements of purpose for which
such Information was needed, was provided with the copy of complainant’s
passport. There is no way the respondent can enter the premises of MVP
since he was dismissed, albeit illegally, from his employment and prevented
to enter MVP;11

At the outset, it shall be emphasized that in this case, there are

two forms of processing involved. Section 3(j) of the DPA defined
processing as:

(j) Processing refers to any operation or any set of operations performed

upon personal information including, but not limited to, the collection,

9
Sections 12, 13 and 29, DPA.
10
Records (NPC Case No. 19-030) at p. 91.
11
Records (NPC Case No. 19-132) at p. 46.

198 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
CL vs DDZ and DM vs DDZ
Decision
Page 7 of 10

recording, organization, storage, updating or modification, retrieval,

consultation, use, consolidation, blocking, erasure or destruction of
data.12

The first processing conducted by DDZ was when he requested

for CL and DM’s passports from MVP’s officer and successfully
collected such information. The second processing was when DDZ
used the copy of Complainants’ passports as attachment to his
complaint-affidavit before the Office of the Prosecutor of Mabalacat,
Pampanga, Letter to DOLE, CDC, and BI.

As previously discussed, passports contain sensitive personal

information wherein its processing is generally prohibited subject
only to a few exceptions. Such exceptions are provided in Section
13(f) of the DPA, thus:

SEC. 13. Sensitive Personal Information and Privileged Information. – The

processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases:

(f) The processing concerns such personal information as is necessary for the
protection of lawful rights and interests of natural or legal persons in court
proceedings, or the establishment, exercise or defense of legal claims, or
when provided to government or public authority.13 (Emphasis Supplied)

This Commission then finds that Respondent’s request and access

to the copies of CL and DM’s passports fall under the exception
as stated in Section 13(f) of the DPA, specifically, the processing is
necessary for the establishment, exercise or defense of legal claims.
As previously ruled by the Commission in NPC Case No. 17-018, “the
relationship of the parties during the processing and judicial ties
between them are being considered in determining valid reliance to
Section 13(f) of the DPA.”14 In this case, Respondent’s attachment of
CL and DM’s passports to his DOLE letter attached in his complaint-
affidavit to the Office of the Prosecutor is to show factual antecedent
for his allegations of theft and grave coercion against Complainants.
It also alleges that both CL and DM are Australian citizens without
valid working visas in the Philippines.

Likewise, the second processing by Respondent wherein he

submitted the copies of passports as attachment to his letter to

12
Section 3(j) of the Data Privacy Act of 2012.
13
Section 13(f) of the DPA.

DECISION CL AND DM VS DDZ 199

 NPC 18-142
CL vs DDZ and DM vs DDZ
Decision
Page 8 of 10

DOLE, CDC and BI which were attached to his complaint-affidavit

to the Office of the Prosecutor, also falls under the same exception
stated in the aforementioned section.

It must be noted that DDZ’s allegations of CL and DM’s grave threats

and illegal stay in the Philippines are under the investigative powers
of these government agencies. The Office of the Prosecutor has
the investigative powers on all charge of crimes, misdemeanors,
and violations of penal laws and ordinances within their respective
jurisdictions.15 While, the Secretary of Labor has the visitorial power
to inspect the premises, books of accounts and records of any
person or entity covered by the Labor Code, require it to submit
reports regularly on prescribed forms, and act on violation of any
provisions of the Labor Code.16

CDC as the operating and implementing arm of the Bases Conversion

and Development Authority (BCDA), is authorized to manage the
Clark Special Economic Zone (CSEZ).17 And finally, the functions of
the Bureau of Investigation primarily include the administration and
enforcement of immigration, citizenship and alien admission and
registration laws in accordance with the provisions of the Philippine
Immigration Act of 1940, as amended (C.A. No. 613, as amended).18

Moreover, this Commission takes this opportunity to reiterate its ruling

in a previous case19, that the processing of personal and sensitive
personal information relying in Section 13(f) must still adhere and be
consistent with Section 11 of the DPA or the General Data Privacy
Principles of transparency, legitimate purpose, and proportionality.
Further, Section 13(f) requires that the processing activities shall be
done within the limits of the law, such entails the obligations of the
controller to comply with the requirements of the DPA.

III. Respondent cannot be held liable

for the violation of Section 29 of the DPA
or Unauthorized Access or Intentional Breach

CL and DM alleged that DDZ may have broken into the MVP’s
database where the scanned copies of their passports are stored.

14
Resolution, NPC Case No. 17-018. Dated 05 November 2020.
15
Section 9(b) of the Republic Act No. 10071.
16
Article 37 of the Labor Code of the Philippines.
17
Section 1 of Executive Order No. 80, Series of 1993
18
Section 31 of the Administrative Code of 1987

200 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
CL vs DDZ and DM vs DDZ
Decision
Page 9 of 10

However, Complainants failed to provide substantial proof to

support their allegations and prove that a violation of Section 29 or
Unauthorized Access or Intentional Breach were committed by the
Respondent. Section 29 of the DPA states:

SEC. 29. Unauthorized Access or Intentional Breach. – The penalty

of imprisonment ranging from one (1) year to three (3) years and a
fine of not less than Five hundred thousand pesos (Php500,000.00)
but not more than Two million pesos (Php2,000,000.00) shall be
imposed on persons who knowingly and unlawfully, or violating data
confidentiality and security data systems, breaks in any way into
any system where personal and sensitive personal information is
stored.20 (Emphasis Supplied)

Complainants were not able to demonstrate by substantial evidence

the very corpus delicti of the crime which is the instance that
the Respondent breaks into the data system where personal or
sensitive personal information of the MVP is stored. Section 22 of
NPC Circular No. 16-04 provides, “the Decision of the Commission
shall adjudicate the issues raised in the complaint on the basis of
all the evidence presented and its own consideration of the law.”
(Emphasis Supplied)

Further, as the Supreme Court held in Florencio Morales, Jr. v.

Ombudsman Conchita Carpio-Morales, et. al., “The basic rule is that
mere allegation is not evidence and is not equivalent to proof. Charges
based on mere suspicion and speculation likewise cannot be given
credence. When the complainant relies on mere conjectures and
suppositions, and fails to substantiate his allegations, the complaint
must be dismissed for lack of merit.”21

With only mere allegations and absent the supporting evidence

to prove that Respondent indeed broke into the database of MVP
to obtain the copies of their passports, such allegations cannot be
given credence by the Commission. Thus, this Commission finds
that Respondent cannot be found to have committed a violation of
Section 29 of the DPA or Unauthorized Access or Intentional Breach.
WHEREFORE, all premises considered, this Commission resolves that
the instant Complaints filed by CL and DM are hereby DISMISSED for
lack of merit.

19
Resolution, NPC Case No. 17-018. Dated 5 November 2020.
20
Section 29 of the Data Privacy Act of 2012.

DECISION CL AND DM VS DDZ 201

 NPC 18-142
CL vs DDZ and DM vs DDZ
Decision
Page 10 of 10

SO ORDERED.

City of Pasay, Philippines.

10 June 2021.

SGD.
JOHN HENRY D. NAGA
Deputy Privacy Commissioner

WE CONCUR:

SGD.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner
SGD.

LEANDRO ANGELO Y. AGUIRRE

Deputy Privacy Commissioner

Copy furnished:

CL
Complainant

DM
Complainant

MJRVLO
Counsel for Complainants

DDZ
Respondent

PMB
Counsel for Respondent

COMPLAINTS AND INVESTIGATION DIVISION

ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission

202 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
JRO vs MSMI
Decision
Page 1 of 17

JRO,

NPC Case No. 18-142

Complainant,

DECISION
-versus- NPC No. 19-278
For: Violation of the Data Privacy Act of 2012
MSMI,
Respondent.
x----------------------------------------------------x

DECISION

NAGA, P.C.;

Before this Commission is a Complaint filed by JRO (JRO) against

MSMI (MSMI) for an alleged violation of Republic Act No. 10173, also
known as the Data Privacy Act of 2012 (DPA).1
Facts

JRO, in his Complaints-Assisted Form dated 27 March 2019

(Complaint), alleged that he had resigned from his employer, MSMI,
on 31 December 2018.2 He was formerly MSMI’s Philippine Overseas
Employment Administration (POEA) liaison officer/processing
officer.3 Despite his resignation, his personal account, including his
name and POEA Code SB-003621, was still used to process MSMI’s
seafarer transactions through Oller’s email address.4 He learned
about this upon verification from the POEA and when he received
documents from concerned seafarers.5

JRO alleges that he is “suffering from extreme anxiety, sleepless

nights, and mental anguish” due to these actions.6 He seeks for

1
An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for This Purpose a National Privacy Commission, and for Other Purposes, [Data
Privacy Act of 2012], Republic Act No. 10173 (2012).
2
Complaints-Assisted Form dated 27 March 2019 of JRO, at page 3.
3
Id.
4
Id.
5
Id.

DECISION JRO VS MSMI 203

 NPC 18-142
JRO vs MSMI
Decision
Page 2 of 17

reasonable damages and permanent revocation of MSMI’s POEA

license.7 JRO also seeks for a ban on the processing of personal
data due to “unlawful acts which constitute estafa, cybercrime
infringements and other criminal, civil and administrative violations.”8

As proof, JRO attached an image of his POEA ID, Certificate of

Employment, and screenshots of various emails allegedly from
POEA eServices.9

Two screenshots showed the following entries supposedly from

POEA eServices:

[Sent by POEA eServices on 12 Mar, 17:00]

Dear XXXX,

Your Application status has is (sic) now Completed by SB-003621: JRO

from MSMI agency

xxx

[Sent by POEA eServices on 12 Mar, 16:38]

Dear XXXX,

Your Application status has is (sic) now For Printing by SB-003621: JRO
from MSMI agency 10

Forwarded messages from “MA” to JRO contained various messages

from the alleged email of POEA eServices ([email protected])
that relates to the status of the POEA application, containing the
following entries:

6
Id., at page 4.
7
Id.
8
Id.
9
Id.
10
Id., see unmarked Annexes.

204 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
JRO vs MSMI
Decision
Page 3 of 17

Dear XXXX,

Your Application status has is (sic) now For Payment by SB-003621: JRO
from MSMI agency

xxx

Dear MA,

Your Application status has is (sic) now For Printing by SB-003621: JRO
from MSMI agency

xxx

Dear MA,

Your Application status has is (sic) now Completed by SB-003621: JRO

from MSMI agency

xxx

Dear MA,

Your Application status has is (sic) now For Contract by SB-003621: JRO
from MSMI agency11

Another screenshot from “TE” also contains a forwarded message

from POEA eServices relating to the status of a POEA Application:
Dear XXXX,

Your Application status has is (sic) now Completed by SB-003621: JRO

from MSM agency12

Through the Complaints and Investigation Division (CID), the

parties were ordered to appear before the Commission to confer
for discovery on 18 June 2019.13 In the discovery conference, both
parties appeared.14 MSMI, through counsel, manifested that it will be
filing a Motion to Dismiss.15 Thus, it was given fifteen (15) days from
the discovery conference to submit the same. Meanwhile, JRO was
given fifteen (15) days from receipt of the Motion to Dismiss to file a
Comment, with another five (5) days from receipt of the Comment
for MSMI to file a Reply.16

11
Id.
12
Id.
13
Order to Confer for Discovery dated 24 April 2019, at page 1.
14
Order dated 18 June 2019, at page 1.
15
Id.
16
Id.

DECISION JRO VS MSMI 205

 NPC 18-142
JRO vs MSMI
Decision
Page 4 of 17

MSMI, through counsel, filed its Motion to Dismiss dated 02 July

2019 (Motion to Dismiss).17 In the Motion to Dismiss, MSMI stated the
following context as part of its defenses:

1. MSMI is a duly licensed manning agency (LMA) which is “engaged in

the provision of quality crew manning services to ship owners, ship
operators and ship managers engaged in international maritime
business.”18 As part of its primary business as an LMA, it “is required by
the POEA under Memorandum Circular No. 06-2018…to register with
the latter’s web-based in-house contract processing system known
as the Sea-based e-Contracts System (“SBECS”) online in order to
have the standard employment contracts of its prospective seafarers
processed and approved prior to deployment.”19

2. In the SBECS registration procedure, an LMA, like MSMI, is mandated to

submit to the POEA a Request for Enrollment and Availment of POEA
e-Services (REAPS) which contains the complete names and emails
of a maximum of three users.20 Once the registration requirements
are met, POEA will enroll and finalize the credentials and machine of
the submitted users, and when authenticated, the “SBECS will only
recognize that machine and the duly-registered access credentials.”21

3. The SBECS enables the LMA “to upload scanned copies of their
standard employment contracts with prospective seafarers for POEA’s
processing and approval. Once processing has been completed,
notification is sent to the registered e-mail addresses of the LMA-
nominated user.”22

MSMI claims that JRO was employed as its POEA liaison officer from
16 November 2012 up to 31 December 2018, and had the obligation of
liaising with POEA, which included processing documents, managing
MSMI’s accounts, and using the company-supplied computers.23 Part
of JRO’s responsibilities was the processing of documents in POEA’s
system, namely, the Sea-based e-Contracts System (SBECS).24

17
Motion to Dismiss dated 02 July 2019 of MSMI
18
Id., ¶ 1.
19
Id., ¶ 2.
20
Id., ¶ 3.
21
Id.
22
Id., ¶ 4.
23
Id., ¶¶ 5-6.
24
Id., ¶ 6(a).

206 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
JRO vs MSMI
Decision
Page 5 of 17

The SBECS was established by the POEA as a “secured web-based

facility” developed for licensed manning agencies (LMAs) in order to
“submit online 24/7 their request for processing (RFP), pay online the
POEA processing and [Overseas Workers Welfare Administration]
membership fees, submit online the seafarer’s contract and print the
electronic Overseas Employment Certificate (OEC) of the seafarers
in the comfort of the agency’s office.”25

During JRO’s employment, he was nominated as an authorized

user of the SBECS through the company-issued email: jr.o@msm.
com.ph, “which was specifically provided for purposes of accessing
Respondent’s SBECS account.”26 At the time of his resignation, MSMI
alleges that JRO “was the only SBECS user officially registered to
the system on behalf of Respondent.”27

When JRO resigned, MSMI submitted a letter to POEA informing

them about the resignation, and that its new liaison officer was RDR.28
This letter was duly acknowledged by POEA. However, according
to MSMI, it was only on 05 April 2019 that MSMI received POEA’s
confirmation that it may now use its company account for its new
liaison officer to process seafarer contracts in the SBECS.29

Before POEA’s confirmation, MSMI “was not able to receive the

access credentials for its new POEA Liaison Officer in time to address
[JRO’s] departure.”30 Thus, MSMI alleges that it was “compelled
by the legitimate need to maintain its business operations which
requires, among others, the ongoing processing of its seafarers’
POEA contracts, [and] continued to access its SBECS account using
the credentials registered with the company e-mail address jr.o@
msm.com.ph until 04 April 2019.”31

25
Id., See Annex “C”, citing Philippine Overseas Employment Administration, Memorandum Circular No. 06, series of
2018, New Procedure for Online Registration of Seafarers and Seabased e-Contracts System (SBECS), § 1, ¶ 2 (POEA
Memorandum Circular No. 06-2018).
26
Id., ¶¶ 7-8.
27
Id., ¶ 7.
28
Id., ¶ 9.
29
Id., ¶¶ 9-10.
30
Id., ¶ 9.
31
Id.

DECISION JRO VS MSMI 207

 NPC 18-142
JRO vs MSMI
Decision
Page 6 of 17

MSMI contends that the POEA-registered account is not personally

registered or owned by JRO, especially since only LMAs are allowed
to register in the SBECS.32

Even assuming that MSMI was processing JRO’s personal

information, the processing was lawful pursuant to MSMI’s legitimate
interest based on Section 12(f) of the DPA.33 MSMI claims that JRO’s
resignation placed the company in a “dire situation considering that
POEA had yet to approve the access credentials of its new POEA
Liaison Officer.”34 If MSMI did not use the POEA account, “it would’ve
experienced debilitating work stoppage for a period of four (4)
months because of its inability to process seafarer contracts.”35

MSMI claims that it did not get any complaints from JRO about the
company’s use of the “access credentials for purely business-related
purposes”, and so was shocked when it received JRO’s Complaint
through the Order to Confer Discovery dated 24 April 2019.36

Thus, MSMI prays for the Complaint’s dismissal based on the following
reasons: 1) the Complaint is not a violation of the DPA or does not
involve a privacy violation, meriting outright dismissal;37 and 2) Oller
failed to follow the exhaustion of remedies since it did not inform
MSMI, in writing, about the alleged privacy violation.38

In response, Oller filed a Comment and Opposition to the Motion to

Dismiss dated 02 July 2019 with Prayer for the Issuance of Cease
and Desist Orders as Provided for Under Chapter II, Section 7(a)(b)
(c)(d) AND (i) of R.A. 10173, dated 10 June 2019 (sic) (Comment).39
In his Comment, JRO countered that “he immediately informed and
pleaded [with] the company officers and employees to refrain from
accessing his personal information and to subsequently dispose of

32
Id., ¶ 18.
33
Id., ¶ 24.
34
Id., ¶ 25.
35
Id.
36
Id., ¶ 11.
37
Id., ¶ 15.
38
Id., ¶ 29.
39
Comment and Opposition to the Motion to Dismiss dated July 2, 2019 with Prayer for the Issuance of Cease and
Desist Orders as Provided for Under Chapter II, Section 7(a)(b)(c)(d) AND (i) of R.A. 10173, dated 10 June 2019 (sic)
of JRO.

208 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
JRO vs MSMI
Decision
Page 7 of 17

any of his personal information.”40 JRO alleges that he informed ATN

“to withdraw, block, remove and destroy” his personal information
given that there were two (2) other remaining employees, RDR and
ATN, who had access to SBECS.41 Oller attached a scanned copy of
a POEA e-Services Enrollment and Availment Form (REAPS), signed
by MSMI’s president, showing the nomination of three (3) users with
their corresponding email addresses.42

MSMI filed a Motion for Extension dated 22 July 2019, seeking an

additional period of five (5) days, or until 27 July 2019, within which
to file a Reply to JRO’s Comment.43 Subsequently, MSMI filed a Reply
(to the Complainant’s 10 June 2019 Comment and Opposition), dated
26 July 2019 (Reply).44

In its Reply, MSMI claims that JRO only “provides self-serving and
unsubstantiated declarations” regarding his allegation that he
immediately informed the company about refraining from using
his personal information, 45 or that he informed the company in
writing.46 MSMI reiterated its arguments in its Motion to Dismiss,
particularly that the alleged personal account was actually owned
by the company, 47 and that it had legitimate interests in using the
same. 48

Thereafter, JRO filed a Manifestation with Prayer to Expunge from

the Record of the Case the Respondents’ Reply (dated 26 July 2019)
and Penalized Respondents (sic) Under Sec. 33 of R.A. 10173, dated
05 August 2019 (Manifestation).49 JRO contends that his narration
is truthful, and that there should be no reason for an outright
dismissal, since the Complaint showed good cause to be decided
on the merits.50 Further, since the Commission did not grant MSMI’s
Motion for Extension, the Reply was not filed on time.51

40
Id., ¶ 3.
41
Id.
42
Id., Annex “A”.
43
Motion for Extension dated 22 July 2019 of MSMI.
44
Reply dated 26 July 2019 of MSMI.
45
Id., ¶¶ 9-10.
46
Id., ¶¶ 11-15.
47
Id., ¶ 25.
48
Id., ¶ 30.
49
Manifestation with Prayer to Expunge from the Record of the Case the Respondents’ Reply (dated July 26, 2019)
and Penalized Respondents (sic) Under Sec. 33 of R.A. 10173, dated 05 August 2019 of JRO.
50
Id., ¶ 2.
51
Id., ¶ 1.

DECISION JRO VS MSMI 209

 NPC 18-142
JRO vs MSMI
Decision
Page 8 of 17

of his personal information.”40 JRO alleges that he informed ATN

“to withdraw, block, remove and destroy” his personal information
given that there were two (2) other remaining employees, RDR and
ATN, who had access to SBECS.41 Oller attached a scanned copy of
a POEA e-Services Enrollment and Availment Form (REAPS), signed
by MSMI’s president, showing the nomination of three (3) users with
their corresponding email addresses.42

MSMI filed a Motion for Extension dated 22 July 2019, seeking an

additional period of five (5) days, or until 27 July 2019, within which
to file a Reply to JRO’s Comment.43 Subsequently, MSMI filed a Reply
(to the Complainant’s 10 June 2019 Comment and Opposition), dated
26 July 2019 (Reply).44

In its Reply, MSMI claims that JRO only “provides self-serving and
unsubstantiated declarations” regarding his allegation that he
immediately informed the company about refraining from using
his personal information, 45 or that he informed the company in
writing.46 MSMI reiterated its arguments in its Motion to Dismiss,
particularly that the alleged personal account was actually owned
by the company, 47 and that it had legitimate interests in using the
same. 48

Thereafter, JRO filed a Manifestation with Prayer to Expunge from

the Record of the Case the Respondents’ Reply (dated 26 July 2019)
and Penalized Respondents (sic) Under Sec. 33 of R.A. 10173, dated
05 August 2019 (Manifestation).49 JRO contends that his narration
is truthful, and that there should be no reason for an outright
dismissal, since the Complaint showed good cause to be decided
on the merits.50 Further, since the Commission did not grant MSMI’s
Motion for Extension, the Reply was not filed on time.51

40
Id., ¶ 3.
41
Id.
42
Id., Annex “A”.
43
Motion for Extension dated 22 July 2019 of MSMI.
44
Reply dated 26 July 2019 of MSMI.
45
Id., ¶¶ 9-10.
46
Id., ¶¶ 11-15.
47
Id., ¶ 25.
48
Id., ¶ 30.
49
Manifestation with Prayer to Expunge from the Record of the Case the Respondents’ Reply (dated July 26, 2019)
and Penalized Respondents (sic) Under Sec. 33 of R.A. 10173, dated 05 August 2019 of JRO.
50
Id., ¶ 2.
51
Id., ¶ 1.

210 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
JRO vs MSMI
Decision
Page 9 of 17

MSMI filed a Motion to Expunge with Ex Abudanti Ad Cautelam

(to Complainant’s 05 August 2019 Manifestation) dated 28 August
2019.52 Aside from reiterating its previous arguments, in the said
Motion, MSMI prayed that the Manifestation be expunged from
the records since the final pleading was its Reply, based on the
Commission’s Order dated 18 June 2019.53 Further, MSI averred that
Oller has not proven that there were three (3) authorized users to
use the SBECS since the REAPS that Oller attached to his Comment
was merely a request, not the actual approval from POEA.54

MSMI thereafter filed an Ex-Parte Motion to Resolve (Respondent’s

Motion to Dismiss dated 02 July 2019), dated 26 November 2019,
where the Respondent prayed that the Complaint be dismissed.55 JRO
also filed a Motion for Early Resolution and to Declare Respondents
in Default, dated 01 December 2019, also praying for the resolution
of the case.56

In a Resolution dated 12 January 2021, the CID resolved to deny

JRO’s request to expunge MSMI’s Reply; it also denied MSMI’s
motion to expunge JRO’s Manifestation, both based on due process
considerations.57

Issues

I. Whether the Complaint should be dismissed for failing to follow

the rule on exhaustion of administrative remedies.

II. Whether MSMI committed a violation of the DPA.

Discussion

The Commission dismisses the Complaint for lack of merit.

I. The Commission exercises its authority to resolve the case on the merits.

52
Motion to Expunge with Ex Abudanti Ad Cautelam (to Complainant’s 05 August 2019 Manifestation) dated 28
August 2019 of MSMI.
53
Id., ¶ 10.
54
Id., ¶ 31.
55
Ex-Parte Motion to Resolve (Respondent’s Motion to Dismiss dated 02 July 2019), dated 26 November 2019 of
MSMI., ¶ 10.
56
Motion for Early Resolution and to Declare Respondents in Default, dated 01 December 2019 of JRO, Prayer.
57
Resolution dated 12 January 2021, at pages 2-3.

DECISION JRO VS MSMI 211

 NPC 18-142
JRO vs MSMI
Decision
Page 10 of 17

MSMI contends that the case should be dismissed since JRO did not
prove that he complied with Section 4(a) of NPC Circular No. 16-04,
also known as the 2016 NPC Rules of Procedure.58

In response, JRO claims that after resigning, he immediately informed

the company to refrain from accessing his personal information.59
NPC Circular No. 16-04 was the applicable procedural rules at the
time of the filing of the complaint. Section 4 of the aforementioned
Circular states:

SECTION 4. Exhaustion of remedies. – No complaint shall be entertained

unless:

a. the complainant has informed, in writing, the personal information

controller or concerned entity of the privacy violation or personal data
breach to allow for appropriate action on the same;

b. the personal information controller or concerned entity did not take

timely or appropriate action on the claimed privacy violation or personal
data breach, or there is no response from the personal information
controller within fifteen (15) days from receipt of information from the
complaint ;

c. and the complaint is filed within six (6) months from the occurrence
of the claimed privacy violation or personal data breach, or thirty (30)
days from the last communiqué with the personal information controller
or concerned entity, whichever is earlier.

The failure to comply with the requirements of this Section shall cause the
matter to be evaluated as a request to the National Privacy Commission for
an advisory opinion, and for the National Privacy Commission to take such
further action, as necessary. The National Privacy Commission may waive
any or all of the requirements of this Section, at its discretion, upon good

58
Motion to Dismiss dated 02 July 2019 of MSMI, ¶ 29.
59
Comment and Opposition to the Motion to Dismiss dated July 2, 2019 with Prayer for the Issuance of Cease and
Desist Orders as Provided for Under Chapter II, Section 7(a)(b)(c)(d) AND (i) of R.A. 10173, dated 10 June 2019 (sic)
of John Raeman R. Oller, ¶ 3.

212 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
JRO vs MSMI
Decision
Page 11 of 17

cause shown, or if the complaint involves a serious violation or breach of

the Data Privacy Act, taking into account the risk of harm to the affected
data subject.60 (Emphases supplied)

Based on the record, JRO has not concretely provided evidence

that it has complied with Section 4(a) of NPC Circular No. 16-04,
since there is no proof that he informed MSMI, in writing, about the
alleged privacy violation. Other than his allegations stated in his
various pleadings before the Commission, 61 JRO did not attach any
letter or other written correspondence to MSMI relating to the alleged
privacy violation. Thus, he did not provide substantial evidence that
will lead the Commission to conclude that he complied with Section
4(a) of NPC Circular No. 16-04.

Nevertheless, the Commission exercises its authority to waive the

requirement of exhaustion of administrative remedies, based on the
last paragraph of Section 4 of the 2016 Rules of Procedure.

JRO’s allegations, if substantially proven, may lead the Commission

to conclude that there was a serious violation of the DPA. The
allegations also show that there may be serious risk of harm to JRO,
given that the emails he provided allegedly show acts which he did
not do, but may be liable for.

Thus, the Commission finds it appropriate to exercise its authority to

resolve the case on the merits.

II. MSMI did not commit a violation of the DPA.

JRO claims that there was a violation of the DPA since MSMI
continually utilized his “POEA account” to process its seafarer
clients’ transactions.62

60
National Privacy Commission, Rules of Procedure, NPC Circular No. 16-04, § 4 (15 December 2016).
61
See Comment and Opposition to the Motion to Dismiss dated July 2, 2019 with Prayer for the Issuance of Cease
and Desist Orders as Provided for Under Chapter II, Section 7(a)(b)(c)(d) AND (i) of R.A. 10173, dated 10 June 2019
(sic) of JRO, ¶ 3.
62
Complaints-Assisted Form dated 27 March 2019 of JRO, at page 3.

DECISION JRO VS MSMI 213

 NPC 18-142
JRO vs MSMI
Decision
Page 12 of 17

There are three pieces of information that JRO claims to be part of

his personal information: 1) his email account, 2) his name, and 3) the
POEA Code.63

At the outset, the Commission finds that JRO did not actually own
the “POEA account” that enabled MSMI to use the SBECS. The
company-issued email and POEA Code, which are both needed to
register and use the SBECS, are part of MSMI’s assets.
There is substantial evidence on record to show that MSMI has
ownership over the company-issued email and POEA Code.
Particularly, the contract processing fees to use the POEA system
was paid by MSMI.64

The email, [email protected], is also reasonably seen to be a

company-issued email, with the email identifier itself linked to the
company. The signed REAPS provided by JRO himself shows that
the request to enroll into the SBECS was made by MSMI.65

Further, under POEA Memorandum Circular No. 06, series of 2018,

(POEA Circular) which has for its subject the “New Procedure for
Online Registration of Seafarers and Seabased e-Contracts System
(SBECS)”, it is the LMA who requests or nominates the users to the
POEA.66

Thus, given that these are company-owned assets, the corresponding

credentials for the use of the SBECS are not owned by JRO. The
“POEA account” is for the company’s transactions, and not for his
personal use. In other words, the company was authorized to use
the POEA credentials since this was company-owned.

The POEA Code, in this instance, cannot be considered personal

information given that the said code is owned by MSMI. Meanwhile,
63
Id.
64
Motion to Dismiss dated 02 July 2019 of MSMI, Annex “I” and “I-1”.
65
See Comment and Opposition to the Motion to Dismiss dated July 2, 2019 with Prayer for the Issuance of Cease
and Desist Orders as Provided for Under Chapter II, Section 7(a)(b)(c)(d) AND (i) of R.A. 10173, dated 10 June 2019
(sic) of JRO, Annex “A”.
66
POEA Memorandum Circular No. 06-2018, § 2, ¶ 1.

214 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
JRO vs MSMI
Decision
Page 13 of 17

though the email is company-issued, it may fall under the definition

of personal information since JRO’s name is stated therein.67

Nevertheless, the fact that MSMI used JRO’s company-issued email

even after his resignation does not immediately equate to a violation
of the DPA.

Section 12 of the DPA provides for the criteria for lawful processing
of personal information. Aside from consent, the DPA has other
bases for lawful processing, including processing which is anchored
on legitimate interests, to quote:

SEC. 12. Criteria for Lawful Processing of Personal Information. – The

processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:

xxx

(f) The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.68

Thus, a Personal Information Controller (PIC) may still lawfully process

personal information, even without a data subject’s consent, if it is
based on other criteria found in the DPA, such as Section 12(f).

The Commission finds that MSMI had a legitimate interest in

continuing to use its POEA account even after JRO’s resignation,
given the mandate of the POEA Circular, and MSMI’s required
business processes.

To reiterate, the POEA Circular which provides for SBECS, includes

agencies like MSMI.69 Through the SBECS, an LMA is able to use

67
See Data Privacy Act of 2012, § 3(g): Personal information refers to any information whether recorded in a material
form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together with other information would directly and certainly identify
an individual.
68
Id. § 12(f).
69
POEA Memorandum Circular No. 06-2018, § 1, ¶ 1.

DECISION JRO VS MSMI 215

 NPC 18-142
JRO vs MSMI
Decision
Page 14 of 17

“a secured web-based facility developed for active LMAs to submit

online 24/7 their request for processing (RFP), pay online the
POEA processing and OWWA membership fees, submit online the
seafarer’s contract and print the electronic Overseas Employment
Certificate (OEC) of the seafarers in the comfort of the agency’s
office.”70 Otherwise, agencies that fail to register to the SBECS “will
be reverted to regular counter processing.”71

In order to use the SBECS, the agency had to provide a list of names
and email addresses to the POEA, which shall serve as the agency’s
request or nomination for enrollment or availment of the POEA’s
system.72 The SBECs also could only be accessed by “authorized
users”,73 which means that the account had to be specific to a
person. Thus, MSMI needed to provide JRO’s name and email
address to comply with the said Circular. After complying, MSMI
had the authority to use the POEA account given that it owned the
POEA Code and issued Oller’s company email.

The account or credentials which is authorized to use the SBECS,

including the name registered in its system, cannot be immediately
changed by the company. SBECS is managed by the POEA. As
discussed, the LMA has to nominate its authorized users for the
POEA’s approval,74 and POEA is the one who authorizes the
nominated users of the LMA, to quote from the Circular:

xxx

If the SBECS requirements mentioned above are met by the agency,

the POEA ICT Branch shall enroll the user credentials in the system.
Authorized users shall receive their username and system link
through the email address indicated in the agency REAPS.75

Through a letter dated 18 December 2018, MSMI undertook to inform

the POEA about JRO’s resignation and that its new liaison officer

70
Id.
71
Id., § 5.
72
Id., § 2, ¶ 1.
73
Id., see also § 3, ¶ 1.2.
74
Id., § 2, ¶ 1.
75
Id., § 3, ¶ 1.2.

216 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
JRO vs MSMI
Decision
Page 15 of 17

was RDR.76 POEA acknowledged the same through a letter dated

03 January 2019.77

The Commission emphasizes that access to the SBECS had to be

allowed by POEA.78 However, the evidence shows that MSMI only
gained access from POEA for RDR on April 2019.79 Thus, even though
JRO resigned as of 31 December 2018, MSMI could not immediately
use the POEA account via RDR’s credentials since this was dependent
on POEA enrolling the user’s credential in its system.

Relatedly, JRO alleges that the MSMI should not have used his email
after his resignation, given that there were two other people that
had access to the SBECS.80 As proof of this claim, JRO submitted a
signed Request for Enrollment and Availment of POEA e-Services
(REAPS).81

However, as the form itself states, the REAPS is a request form,

and does not indicate the action done by POEA regarding MSMI’s
request. Thus, at best, the REAPS only shows that MSMI requested
three users to be authorized to use the SBECS. It does not prove,
however, that POEA actually approved all three (3) nominated
names to use the SBECS.

JRO has not proven, with substantial evidence, that MSMI had two
(2) other authorized users that could have accessed the SBECS. In
comparison, MSMI was able to adequately prove that it only had
access for Dela Rosa on April 2019.82

As the REAPS also shows, RDR was one of the persons cited in the
request form to be authorized to use the SBECS.83 The Commission
notes that MSMI had to request the POEA to register RDR as the
new POEA liaison officer after JRO’s resignation.84 This new position

76
Motion to Dismiss dated 02 July 2019 of MSMI, Annex “F”.
77
Id., Annex “G”.
78
See POEA Memorandum Circular No. 06-2018, § 3, ¶ 1.2.
79
Motion to Dismiss dated 02 July 2019 of MSMI, Annex “H”.
80
Comment and Opposition to the Motion to Dismiss dated July 2, 2019 with Prayer for the Issuance of Cease and
Desist Orders as Provided for Under Chapter II, Section 7(a)(b)(c)(d) AND (i) of R.A. 10173, dated 10 June 2019 (sic)
of JRO, ¶ 3.
81
Id., Annex “A”.
82
Motion to Dismiss dated 02 July 2019 of MSMI., Annex “H”.
83
Comment and Opposition to the Motion to Dismiss dated July 2, 2019 with Prayer for the Issuance of Cease and
Desist Orders as Provided for Under Chapter II, Section 7(a)(b)(c)(d) AND (i) of R.A. 10173, dated 10 June 2019 (sic)
of JRO, Annex “A”.
84
Motion to Dismiss dated 02 July 2019 of MSMI, Annex “F”.

DECISION JRO VS MSMI 217

 NPC 18-142
JRO vs MSMI
Decision
Page 16 of 17

was duly acknowledged by the POEA in its letter dated 03 January

2019.85 These circumstances discredit JRO’s claim that the other
requested names in the REAPS were ultimately authorized by the
POEA since MSMI had to request access for Dela Rosa as its new
liaison officer.

Given the circumstances, MSMI’s processing was valid considering

that it used the company-linked POEA Code through a company-
issued email to use the POEA account owned by MSMI. It also
adequately established that its new liaison officer, Dela Rosa, only
had access to SBECS months after JRO’s resignation, even though
the company already informed POEA about these facts.

Under Section 12(f) of the DPA, the PIC’s legitimate interest may be
“overridden by fundamental rights and freedoms of the data subject
which require protection under the Philippine Constitution.”86 In
this case, JRO has not sufficiently alleged, or proven, that he has
fundamental rights enshrined in the Constitution that would override
MSMI’s legitimate interests.

In sum, the Commission finds that MSMI’s processing is considered

as “necessary for the purposes of the legitimate interests” since the
use of the SBECS is provided by POEA, validly authorized given the
circumstances, and is integral to its business processes as an LMA.

WHEREFORE, premises considered, the Complaint is hereby

DISMISSED for lack of merit.

SO ORDERED.

City of Pasay, Philippines.

31 March 2022.

85
Id., Annex “G”.
86
Data Privacy Act of 2012, § 12(f).

218 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC 18-142
JRO vs MSMI
Decision
Page 17 of 17

Sgd.
JOHN HENRY D. NAGA
Privacy Commissioner

WE CONCUR:

Sgd.
DUG CHRISTOPER B. MAH
Deputy Privacy Commissioner

(Inhibited)
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

Copy furnished:

JRO
Complainant

MSMI
Respondent

AML
Counsel for Respondent

COMPLAINTS AND INVESTIGATION DIVISION

ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission

DECISION JRO VS MSMI 219

 NPC SS 21-005
Decision
Page 1 of 31

IN RE: ORIENTE EXPRESS TECHSYSTEM

NPC SS Case No. 21-005

CORPORATION (CASHALO)
AND ITS RESPONSIBLE OFFICERS

DECISION
NPC SS 21-005
For: Violation of the Data Privacy Act of 2012
x----------------------------------------------------x

DECISION

NAGA, P.C.;

Before this Commission is the Fact-Finding Report (FFR) with

Application for the Issuance of a Temporary Ban on processing of
personal data filed by the Complaints and Investigation Division
(CID) of the National Privacy Commission (NPC) dated 09 June 2021,
which serves as its Complaint (Complaint) pursuant to the NPC’s
power to conduct a sua sponte investigation.1 The Complaint alleged
violations of Republic Act No. 10173, or the Data Privacy Act of 2012
(DPA), by Oriente Express Techsystem Corporation (OETC) which
operates the Cashalo online lending application (Cashalo).

Facts

On 09 June 2021, the CID submitted its FFR with Application for the
Issuance of a Temporary Ban against OETC. The CID alleged that
OETC violated Sections 11, 16, and 25 of the DPA and Section 3(D)(4)
of NPC Circular No. 20-01 (Guidelines on the Processing of Personal
Data for Loan-related Transactions).2

The CID, in its Complaint, alleged the following:

1
See National Privacy Commission, 2021 Rules of Procedure of the National Privacy Commission, NPC Circular No.
2021-01, rule I, § 4(p); rule X, §§ 4-5 (28 January 2021) (2021 NPC Rules of Procedure).
2
Fact-Finding Report (with Application for Issuance of Temporary Ban on the Processing of Personal Data) dated 09
June 2021 of the Complaints and Investigation Division, at p. 18. (Fact-Finding Report)

220 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 2 of 31

Cashalo is a loan-related application available at the Google Play Store,

with SEC Registration No. CSC201800209 and Certificate of Authority No.
1162. All loans under the Cashalo Platform are financed by Paloo Financing
Inc.

On 14 May 2021, the CID simulated the app installation and registration
process for loan application with the Cashalo App.

xxx

Upon installation, a consent screen on the application appeared requiring

access to Phone, Messaging, Contacts, Location, and external data from
other applications. When the downloaded application was opened, a
notification asking access to the contacts appeared. The CID tried to
decline the asked permission, but the application asked again for the
permission to access the contacts.
In providing character references, there was no separate interface in the
App. There was no manual way of entering a phone number and that it
must be through giving access to the contacts list. The loan application
will not proceed to the next step without the character reference’s phone
number.

The CID noticed that the Cashalo application utilized the Cordova plugin to
fetch the contact information on the test device.3 (citations omitted)

In the CID’s Technical Report dated 14 May 2021, it further alleged:

10. As part of Android’s programming capability, the Android SDK provides

coding for Contacts retrieval wherein an application will have the ability to
collect data from contacts. That being said, Android supports user privacy
through App permissions. The user has control over the data that they
share with apps, the user understands what data an app uses, and why
the app accesses this data and an app accesses and uses only the data
that’s required for a specific task or action that the user invokes.4

3
Id., at pp. 1-2.
4
Technical Report dated 14 May 2021 of the Complaints and Investigation Division, ¶ 10. The Technical Report is cited
in the Fact-Finding Report.

DECISION - NPC SS 21-005 221

 NPC SS 21-005
Decision
Page 3 of 31

In its Complaint, the CID stated that OETC failed to adhere to the
requirements of the DPA, specifically Section 11 which deals with the
General Data Privacy Principles (transparency, legitimate purpose,
proportionality).5

For the principle of transparency, the CID explained that this is

related to the data subject’s right to information under Section 16 of
the DPA.6 The CID claimed that OETC failed to uphold the principle of
transparency since it “failed to provide the purpose for the storage
of the personal information accessed, and such cannot be seen in
the App’s Privacy Notice nor can be deduced from the permission
it requires.”7

In terms of the legitimate purpose principle, the CID argued that it

is upheld when one of the criteria for lawful processing, as provided
in Sections 12 and 13 of the DPA, is met.8 According to the CID,
OETC does not have a legitimate purpose in processing personal
information of its users since it was done without valid consent.9 The
CID stated that in Cashalo’s Privacy Policy, the data subjects have no
opportunity to make an informed choice since in order for the users
to avail of Cashalo’s services, they have no choice but to accept the
terms and conditions it provided.10 CID further stated that such act
of OETC is “misleading and inherently unfair.”11

The CID argued that Cashalo can access and store the personal
information of the data subjects including their phone contacts,
which is not relevant to the purpose of a loan transaction.12

Moreover, the CID stated that “the respondent is without a valid

consent or authority under the DPA and other existing laws, to
process and store the phone contacts of the borrowers. As such it

5
Fact-Finding Report of the Complaints and Investigation Division, pp. 8-15.
6
Id., at pp. 9-10.
7
Id., at p. 10.
8
Id., at p. 11.
9
Fact-Finding Report of the Complaints and Investigation Division, at p. 12.
10
Id., at p. 12.
11
Id.
12
Id., at p. 13.

222 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 4 of 31

should be deemed to be unauthorized and in violation of Section 25

of the DPA.”13

The CID alleged that in terms of proportionality, OETC failed to

clearly indicate in Cashalo’s Privacy Notice the purpose and extent of
accessing the personal information of its clients, including their phone
contacts.14 The CID also referred to the portion of Cashalo’s Privacy
Notice which states that OETC, with its subsidiaries and affiliates,
“may share any and all information relating to User to each other
for any legitimate business purposes [such as]…credit collection,
outsourcing of collections to third parties, remedial measure for
collection (i.e. referral to agents and lawyers for collection).”15
Further, in the Privacy Notice’s “Use/Purpose of Personal Data”,
the CID cited that one of Cashalo’s enumerated use/purpose is
“to facilitate loan processing from application, review, monitoring,
payment, collection and other remedial measures.”16

The CID concluded that OETC “intends to process any and all
information about the data subject, including phone contacts, for
purposes of debt collection.”17

Accordingly, the CID alleged that the processing of the data subject’s
information for debt collection violated Section 3(D)(4) of the NPC
Circular No. 20-01.18 It faulted OETC for having a Privacy Policy
that was vague and ambiguous since it declared that any and all
information of the data subject may be used for purposes, which
included debt collection.19 The CID stated that the consent given by
Cashalo’s users cannot be considered free, voluntary, and informed
because data subjects have no choice but to allow access to its
phone contact list to avail of OETC’s loan service.20

13
Fact-Finding Report of the Complaints and Investigation Division, at p. 14.
14
Id.
15
Id., at p.14. See Supplemental Report dated 31 May 2021, Annex “A”.
16
Id.
17
Fact-Finding Report of the Complaints and Investigation Division, at p. 14.
18
Id.
19
Id., at p. 15.
20
Id.

DECISION - NPC SS 21-005 223

 NPC SS 21-005
Decision
Page 5 of 31

The CID further argued that OETC is liable for Section 25 of the DPA
that deals with the unauthorized processing of personal information
and sensitive personal information.21 It contended that:

[M]ere permissions before installation of the mobile application and

during the launch of the application itself does not suffice as a valid
consent, as consent cannot be said to be made in an informed, free,
and voluntary manner. Respondent’s clients were left with no choice
but to allow permissions, whose purposes were vaguely provided
in its Privacy Policy, in order to use the application and apply for a
loan.22

OETC’s Board of Directors (BOD) were the responsible officers

liable for Section 25 of the DPA since the BOD was the one “who
decides [for the corporation] and should have the duty of diligence.
The violation of the corporation is a violation of the person behind it
which are its officers or board.”23

The CID also prayed for the issuance of temporary ban on the
processing of personal information in relation to the Cashalo app.24 It
stated that there was substantial evidence to warrant the temporary
ban’s issuance given that “[OETC’s] processing of personal data
[was] without adherence to the Data Privacy Principles enshrined in
the DPA”, and since it was violative of NPC Circular 20-01, Section
3 (D)(4) since “there [was] sufficient information to support that
[OETC] has the ability to access, store, and copy phone contact
lists of its borrowers and utilizes that stored data for use in debt
collection or to harass its borrowers”.25 Further, the CID claimed that
the temporary ban’s issuance was crucial for the preservation and
protection of the data subjects’ rights.26 The CID concluded that all
of the grounds for the issuance of a temporary ban were present.27
21
Fact-Finding Report of the Complaints and Investigation Division, at p. 16.
22
Id.
23
Id., at p. 17.
24
Id.
25
Fact-Finding Report of the Complaints and Investigation Division, at p. 17.
26
Id.
27
Id., at p. 18.

224 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 6 of 31

On 16 June 2021, the Commission issued an Order directing OETC to

submit its Position Paper in lieu of a summary hearing within ten (10)
days from receipt of said Order. 28

On 09 July 2021, OETC’s legal counsel filed its Entry of Appearance

and an Urgent Manifestation with Motion for Leave and Time to File
Position Paper (Re: Order dated 16 June 2021).29 OETC prayed for an
extension of at least fifteen (15) days to submit its Position Paper.30

On 15 July 2021, the Commission granted OETC’s request for

extension to file its Position Paper.31
On 23 July 2021, OETC submitted its Position Paper Ad Cautelam
(Position Paper).32

In its Position Paper, OETC argued that: 1) the CID’s Complaint did
not establish all the requisites for the issuance of a temporary ban,33
2) it did not violate the DPA and NPC Circular No. 20-01 since the
processing and collecting of personal data of Cashalo users was
valid, had legitimate purposes, and done in accordance with the
Philippine’s data privacy laws;34 and 3) OETC’s officers or BOD
were not liable for violations of the DPA.35

OETC argued that the CID failed to establish that a temporary ban
was needed to protect public interest since its Complaint lacked any
specific allegation that OETC was engaging in unscrupulous debt
collection methods.36 Rather, it only alleged numerous complaints

28 In re: Oriente Express Techsystem Corporation (Cashalo), NPC SS 21-005, Order dated 16 June 2021, at p. 2.
29 Entry of Appearance and Urgent Manifestation with Motion for Leave and Time to File Position Paper (Re: Order
dated 16 June 2021) dated 09 July 2021 of Oriente Express Techsystem Corporation.
30 Id., at p. 4.
31 In re: Oriente Express Techsystem Corporation (Cashalo), NPC SS 21-005, Resolution dated 15 July 2021, at p. 2.
32 Position Paper Ad Cautelam dated 23 July 2021 of Oriente Express Techsystem Corporation.
33 Id., ¶¶ 43-61.
34 Id., ¶¶ 62-147.
35 Id., ¶¶ 148-152.
36 Position Paper Ad Cautelam dated 23 July 2021 of Oriente Express Techsystem Corporation, ¶¶ 44-50.

DECISION - NPC SS 21-005 225

 NPC SS 21-005
Decision
Page 7 of 31

against unnamed online lending applications (OLAs), without proving

that OETC was actually the cause of these complaints.37

OETC argued further that the CID failed to prove that there were
facts entitling the issuance of a temporary ban since its allegations to
warrant the issuance of a temporary ban were “clearly unfounded”.38
In disproving the CID’s argument that it failed to inform the data
subjects of the extent of its processing, OETC claimed that the
Cashalo app “notifies the user multiple times of the purpose(s)
for data collection” through its Privacy Policy and “simplified pop-
up boxes”.39 As to the CID’s allegation that the Cashalo app “has
the ability to access, store, and copy phone contact lists”,40 OETC
explained that its access to phone contacts was only for “Know
Your Customer” (KYC) measure, fraud prevention and credit scoring
purpose. 41

OETC claimed that it did not violate Section 11 (with regard to

legitimate purpose) and Section 16 (in relation to a data subject’s right
to information) of the DPA since “there are legitimate purpose(s)
for the processing of personal information and the same were fully
disclosed to Cashalo app users.”42

OETC also averred that it did not violate Section 25 of the DPA
because “all instances of processing done by [OETC], through the
Cashalo app, have the free, specific and informed consent of the
data subjects who have been sufficiently informed in a concise,
transparent, and intelligible manner as to which information are
being processed, as well as the purposes for such processing.”43

OETC emphasized that its users enter private loan contracts with
the company akin to contracts of adhesion, which are not contracts

37 Id.
38 Id., ¶ 52.
39 Id., ¶ 53.
40 See Fact-Finding Report of the Complaints and Investigation Division, at p. 17.
41 Position Paper Ad Cautelam dated 23 July 2021 of Oriente Express Techsystem Corporation, ¶ 57.
42 Id., ¶ 73.
43 Id., ¶ 90.

226 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 8 of 31

automatically considered illegal, unfair, or vitiates the user’s

consent.44

For its processing of phone contacts, OETC claimed that the

processing was valid, and once the user completes the loan
application, the Cashalo app notifies users that they may already
remove access to their phone contact lists.45

OETC disputed the CID’s claim that the Cashalo app does not provide
a separate interface for users to provide character references, since
there was an interface that allows its users to freely select their
preferred character references, with corresponding details.46

Nevertheless, OETC stated that it will be implementing the following

developments: 1) “all instances of references selection in the Cashalo
app will no longer trigger or require permission to access phone
contacts”,47 2) while there is an existing in-app messaging platform
to inform users that they may remove device permissions, there
will also be an identical pop-up notice having the same function,48
3) update of its Privacy Policy to further clarify its personal data
processing,49 and 4) allowing users to apply for a loan even if the
permission to access their location is denied.50

OETC manifested that it would be implementing the developments

via an updated Cashalo app which will be submitted to Google Play
Store for review and approval.51
Thus, OETC prayed for the Commission to deny the issuance of a
temporary ban on the processing of personal data with respect to
44 Id., ¶¶ 95-97.
45 Position Paper Ad Cautelam dated 23 July 2021 of Oriente Express Techsystem Corporation, ¶¶ 101-102.
46 Id., ¶¶ 135-139.
47 Id., ¶ 156.
48 Id., ¶ 157.
49 Position Paper Ad Cautelam dated 23 July 2021 of Oriente Express Techsystem Corporation, ¶ 158.
50 Id., ¶ 159.
51 Id., ¶ 155.

DECISION - NPC SS 21-005 227

 NPC SS 21-005
Decision
Page 9 of 31

the Cashalo app and dismiss the sua sponte investigation for lack of
merit.52

On 29 July 2021, the Commission issued an Order directing CID to

submit its comment on OETC’s Position Paper.53 In the same Order,
the Commission also set a virtual Clarificatory Hearing to be held on
19 August 2021.54

The CID thereafter submitted its Comment/Opposition (to

Respondent’s Position Paper dated 23 July 2021) dated 13 August
2021 (Comment).55

In its Comment, the CID claimed that it made an investigation on the

revised Cashalo app. 56 Particularly, the CID alleged that OETC “tried
to remedy the issue regarding the access and storing of the data
subject’s contacts by removing the permissions and asking them to
manually input contacts of their own preference to be designated as
reference contacts.”57 Nevertheless, the CID argued:

However, even though this update was made, the respondent failed to
rebut the fact that the application does not have the ability to store the
data of the data subject’s using their application.58

The CID also raised the problem that OETC allegedly already had
access to the data of those data subjects who applied for loan
before the update was made.59 Further, the CID argued that data
subjects who applied for a loan before the update would still be able
to access the old version of the application since the update applies
prospectively.60

52 Id., at p. 59.
53 In re: Oriente Express Techsystem Corporation (Cashalo), NPC SS 21-005, Order dated 29 July 2021, at p. 4.
54 Id.
55 Comment/Opposition (to the Respondent’s Position Paper dated 23 July 2021) dated 13 August 2021 of the
Complaints and Investigation Division.
56 Id., ¶ 4.
57 Id., ¶ 5 .
58 Id., ¶ 6.
59 Id., ¶ 7.
60 Id., ¶¶ 7-8, ¶ 11.

228 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 10 of 31

In support of its allegation that OETC violated Section 3(D)(4) of NPC

Circular No. 20-01, the CID pointed out that since OETC hurriedly
revised the Cashalo app after the sua sponte investigation, this act
was already an admission that it has the capacity to access the
contacts of its clients through their mobile phones.61

The CID maintained that there was substantial evidence to warrant

the issuance of a temporary ban on the processing of personal data
against OETC in relation to its Cashalo app.62

Through an Order dated 17 August 2021, the Commission

rescheduled the clarificatory hearing to 26 August 2021 instead of 19
August 2021,63 after OETC submitted an Urgent Motion to Reset the
Clarificatory Hearing Scheduled on 19 August 2021, dated 16 August
2021, due to the Enhanced Community Quarantine implemented in
Metro Manila.64

On 26 August 2021, the Commission conducted a clarificatory

hearing. In an Order dated 26 August 2021, OETC was ordered to
submit the following documents to the Commission:

1. Evidence showing its implementation of the representations made to

the Commission during the hearing, specifically on the removal of access
to the contact list and location data;

2. Copy of a certificate of deletion of the data when the data subject has
requested for the deletion of their data or proof of confirmation of deletion
of data when the data subject has furnished the request via electronic
mail; and

3. Copy of the Platform Services Agreement between Oriente Express

Techsystem Corporation and Paloo Financing Inc.65

61 Id., ¶ 23.
62 Comment/Opposition (to the Respondent’s Position Paper dated 23 July 2021) dated 13 August 2021 of the
Complaints and Investigation Division, ¶ 25.
63 In re: Oriente Express Techsystem Corporation (Cashalo), NPC SS 21-005, Order dated 17 August 2021, at p. 3.
64 Urgent Motion to Reset the Clarificatory Hearing Scheduled on 19 August 2021 dated 16 August 2021 of Oriente
Express Techsystem Corporation.
65 In re: Oriente Express Techsystem Corporation (Cashalo), NPC SS 21-005, Order dated 26 August 2021, at pp. 1-2.

DECISION - NPC SS 21-005 229

 NPC SS 21-005
Decision
Page 11 of 31

OETC thereafter submitted its Compliance [Re: Order dated 26

August 2021] dated 03 September 2021.66 OETC manifested that it
no longer requests access to contacts even for KYC, fraud prevention
and credit scoring.67 OETC supported this claim by submitting a video
which shows the installation of the Cashalo app and the permissions
required.68 OETC also provided the following proof:

1) Photos/screenshots of Manual Entry of References, with

separate interface;69

2) Photos/screenshots of Optional Location Permission

Access;70

3) Proof of Request for the Deletion of Data Subject/s’ Data

furnished via electronic mail and its corresponding Proof of
Confirmation of Deletion of Data;71 and

4) Copy of the Platform Service Agreement between OETC

and Paloo Financing Inc.72

On 17 September 2021, the Commission issued an Order which

denied the CID’s application for a temporary ban, with the following
dispositive portion, to wit:

WHEREFORE, premises considered, this Commission DENIES the

Application for Temporary Ban on the processing of personal data filed
by the Complaints and Investigation Division of the National Privacy
Commission for failure to satisfy the requisites for the issuance of
Temporary Ban specifically, Section 3(1) and (2), Rule IX of the NPC Circular

66 Compliance [Re: Order dated 26 August 2021] dated 03 September 2021 of Oriente Express Techsystem
Corporation.
67 Id., ¶ 2.
68 Id., ¶ 2.1; See video file of Oriente Express Techsystem Corporation.
69 Id., ¶ 2.2; Annex “1”.
70 Compliance [Re: Order dated 26 August 2021] dated 03 September 2021 of Oriente Express Techsystem
Corporation, ¶¶ 4-6; Annex “2” and video file of Oriente Express Techsystem Corporation.
71 Id., ¶ 7; Annexes “3” & “4”.
72 Compliance dated 26 August 2021.

230 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 12 of 31

No. 20-01. The Commission hereby ORDERS Respondent Oriente Express

Techsystem Corporation and its Responsible Officers within a non-
extendible period of FIFTEEN (15) days from receipt of this ORDER to:

1. Revise its Privacy Policy and processes to conform with Republic Act
No. 10173, known as the Data Privacy Act of 2012, as its Privacy Policy
should match its representations and admissions discussed during the
Clarificatory Hearing held last 26 August 2021; and
2. Submit proof of compliance of its revised Privacy Policy and processes.73

With the issuance of the Order denying the CID’s Application for
Temporary Ban, the proceedings before the Commission based
on the CID’s Complaint against OETC resumed, pursuant to Rule
IX, Section 2 of NPC Circular 2021-01, or the 2021 NPC Rules of
Procedure.74

On 10 December 2021, OETC submitted: 1) its revised Privacy Policy

in compliance with the Order dated 17 September 2021,75 and 2)
proof of revisions made in the Cashalo app.76

On 31 March 2022, the Commission ordered both the CID and OETC
to submit their respective Memoranda within fifteen (15) days from
receipt of the Order.77

On 16 May 2022, the CID submitted its Memorandum.78 CID maintained

that OETC violated Sections 11, 12, 13, and 16, all of the DPA, since it
failed to adhere to the principles of transparency, legitimate purpose,
and proportionality.79

73 In re: Oriente Express Techsystem Corporation (Cashalo), NPC SS 21-005, Order dated 17 September 2021, at pp
26-27.
74 Id., at p. 27. See NPC Circular No. 2021-01, rule VIII, § 4.
75 Compliance dated 10 December 2021 of Oriente Express Techsystem Corporation, ¶ 2. Annex “1”.
76 Id., ¶ 3. See video files of Oriente Express Techsystem Corporation.
77 In re: Oriente Express Techsystem Corporation (Cashalo), NPC SS 21-005, Order dated 31 March 2022
78 Memorandum dated 16 May 2022 of the Complaints and Investigation Division, at pp. 3-7.
79 Id., at p. 3.

DECISION - NPC SS 21-005 231

 NPC SS 21-005
Decision
Page 13 of 31

The CID argued that OETC violated the transparency principle

since “[it] failed to provide clearly in their privacy policy what is the
purpose/s why they access and store the personal information of
their clients.”80

The CID also alleged that OETC violated the principle of legitimate
purpose, reasoning thus:

The Respondent however, failed to provide any proof that its data subjects
consented to the processing of their personal information and sensitive
personal information through written, electronic, recorded means,
before or even after they entered their information in the application.
This is particularly evident in the processing (collection and retention) of
borrower’s phone contact list that is not germane to the purpose of the
loan transaction entered into with the Respondent.81

The CID further argued that OETC violated the proportionality

principle by using dangerous permissions to access a user’s Phone,
Location, Storage, and Camera.82

According to the CID, OETC violated Section 25 of the DPA.83 It

contended that OETC’s processing of the phone contact lists of its
clients may be considered as unauthorized processing since the
“information [was] used for purposes without the data subject’s
[clear] consent or otherwise authorized by law.”84 The CID also
pointed out that during the clarificatory hearing, OETC allegedly
admitted that “[it is] using the personal information of the clients
that [it] accessed and stored for marketing purposes.”85

The CID also faulted OETC for accessing its data subjects’ contacts
since this was allegedly excessive in relation to the loan application.86

80 Id.
81 Id., at. p. 5.
82 Memorandum dated 16 May 2022 of the Complaints and Investigation Division, at p.5.
83 Id., at pp. 7-8.
84 Id., at p. 7.
85 Id., at pp. 7-8.
86 Memorandum dated 16 May 2022 of the Complaints and Investigation Division, at p.8.

232 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 14 of 31

Moreover, the CID stated that if OETC is found liable, the penalty
should be imposed upon its BOD being the responsible officers who,
by their gross negligence, allowed the commission of the violations.87

On 17 May 2022, OETC submitted its Memorandum.88 OETC

emphasized that it did not violate Sections 11 and 16 of the DPA since
there were “legitimate purpose/s for the processing of personal
information and the same were fully disclosed to the Cashalo app
users” in the Privacy Policy and pop-up notification boxes.89 These
purposes are “to conduct and perform fraud monitoring, detection,
analysis, and prevention; to develop, enhance and maintain a risk
assessment process and model, offline and online; and to develop
and generate a credit score, credit model and user, model among
others.”90 OETC further claimed that Cashalo’s Privacy Policy was
also clear, unambiguous, concise, and simple.91

OETC likewise argued that it did not violate Section 25 of the DPA
since it has been able to procure the free, specific, and informed
consent of the Cashalo app users.92 It submitted that the CID’s
Complaint failed to prove by substantial evidence that the purposes
for the processing of Cashalo app users’ personal data was actually
vague.93

OETC claimed that it was able to obtain its users valid consent even
if the contracts may be considered as contracts of adhesion, since
the users are free to reject the permissions asked for by the Cashalo
app.94 OETC further argued that consent was validly obtained from
its users since they were “sufficiently informed, multiple times, in a
concise, transparent, and intelligible manner as to which information
are being processed, as well as the purposes for such processing.”95

87 Id.
88 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation.
89 Id., ¶¶ 85-86.
90 Id., ¶ 30.
91 Id., ¶¶ 90-91.
92 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶¶ 98-129.
93 Id., ¶ 104.
94 Id., ¶¶ 106-110.
95 Id., ¶ 123.

DECISION - NPC SS 21-005 233

 NPC SS 21-005
Decision
Page 15 of 31

Further, OETC averred that it did not violate Section 3(D)(4) of NPC
Circular No. 20-01.96 Aside from CID’s alleged failure to substantiate
the violation,97 the updated Cashalo app also no longer triggers
or requires permission to access phone contacts since this was
completely replaced with a manual entry field.98 Even in previous
versions of the Cashalo app, OETC claimed that it never processed
the user’s phone contact list for debt collection or harassment, but
did so only for legitimate reasons such as KYC.99

Finally, OETC concluded that considering that it did not violate the
DPA and NPC Circular No. 20-01, there was no basis for holding its
officers or Board of Directors liable.100

Issues

I. Whether OETC did not adhere to the general data privacy principles
of transparency, legitimate purpose, and proportionality.

II. Whether OETC violated Section 25 of the DPA.

III. Whether OETC violated the provisions under Section 3(D)(4) of

NPC Circular No. 20-01.

Discussion

Under the DPA, the NPC has the obligation to ensure a personal
information controller’s compliance with the law101 and institute
investigations when necessary.102

96 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶¶ 130-171.

97 Id., ¶¶ 130-138.
98 Id., ¶ 139.
99 Id., ¶ 140.
100 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶¶ 172-176.
101 An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for This Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173, chapter II, § 7(a) (2012).
102 Id. § 7(b).

234 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 16 of 31

The NPC’s mandate is supported by the NPC Circular No. 2021-

01, which allows the procedure for sua sponte investigations of
circumstances surrounding possible privacy violations or personal
data breaches.103

The NPC’s CID is the division tasked to, among others, “[institute]
investigations regarding violations of the Act, these Rules, and other
issuances of the Commission, including violations of the rights of
data subjects and other matters affecting personal data.”104

The FFR of the CID serves as the complaint in the sua sponte
investigation.105 An FFR is submitted to the Commission en banc “for
its perusal to determine whether violations of the Data Privacy Act
of 2012 (DPA) were committed. Considering that the FFR contains all
the findings of the investigating division of the NPC, such document
is the complaint initiating the administrative proceedings in cases of
sua sponte investigation.”106 The term sua sponte, when translated,
means “of one’s own accord”.107 Consequently, the NPC, through the
CID, initiated of its own accord a complaint against OETC by filing the
FFR. In effect, the CID serves as the complainant in the proceedings
against the respondent. Meanwhile, the NPC’s Commission en banc
acts as a collegial body to adjudicate the case.108 It shall review the
evidence presented, including the FFR and supporting documents.109

In administrative proceedings like this case, complainants “carry the

burden of proving their allegations with substantial evidence.”110 As
further explained by the Supreme Court in De Jesus v. Guerrero III:

103 NPC Circular No. 2021-01, rule X, §§ 5-6.

104 National Privacy Commission, Implementing Rules and Regulations of the Data Privacy Act of 2012, rule III, § (e)
(1) (2016) (IRR of the DPA) .
105 NPC Circular No. 2021-01, rule X, §§ 3-5. See In re: FCash Global Lending Inc., Operating FastCash Online Lending
Application, NPC 19-909, Resolution dated 28 April 2022.
106 In re: FCash Global Lending Inc., Operating FastCash Online Lending Application, NPC 19-909, Resolution dated
28 April 2022., at pp. 3-4.
107 Id., at p. 4.
108 See Data Privacy Act of 2012, , chapter II, § 7(b).
109 NPC Circular No. 2021-01, rule VIII, § 1.
110 Office of the Ombudsman v. Fetalvero, Jr., G.R. No. 211450, 23 July 2018.

DECISION - NPC SS 21-005 235

 NPC SS 21-005
Decision
Page 17 of 31

In administrative proceedings, the quantum of proof necessary for a finding

of guilt is substantial evidence, i.e., that amount of relevant evidence that
a reasonable mind might accept as adequate to support a conclusion.
Further, the complainant has the burden of proving by substantial evidence
the allegations in his complaint. The basic rule is that mere allegation
is not evidence and is not equivalent to proof. Charges based on mere
suspicion and speculation likewise cannot be given credence. Hence,
when the complainant relies on mere conjectures and suppositions, and
fails to substantiate his allegations, the administrative complaint must be
dismissed for lack of merit.111

Guided by these pronouncements and after carefully considering

the evidence and claims of both parties, the Commission dismisses
the complaint for lack of substantial evidence to warrant a finding of
a privacy violation.

I. Substantial evidence is lacking to

conclude that OETC failed to adhere
to the general data privacy principles
under the DPA.

The CID posited that OETC “failed to provide the purpose for the
storage of the personal information accessed, and such cannot
be seen in the App’s Privacy Notice nor can be deduced from the
permission it requires”, thus failing to adhere to the principle of
transparency. 112 OETC countered that the purposes for processing
personal data are found in Cashalo’s Privacy Policy,113 in its pop-up
boxes informing users of the permissions required,114 and through
clear and unambiguous language.115

After weighing both claims, the Commission finds that the CID did
not sufficiently prove that OETC failed to adhere to the transparency
principle.

111 G.R. No. 171491, 04 September 2009.

112 Fact-Finding Report of the Complaints and Investigation Division, at p. 10.
113 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶ 86.
114 Id.
115 Id., ¶ 90.

236 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 18 of 31

Under Rule IV, Section 18 of the Implementing Rules and Regulations

of the DPA (IRR), transparency is explained as follows:

a. Transparency. The data subject must be aware of the nature, purpose,

and extent of the processing of his or her personal data, including the risks
and safeguards involved, the identity of personal information controller,
his or her rights as a data subject, and how these can be exercised. Any
information and communication relating to the processing of personal
data should be easy to access and understand, using clear and plain
language.116

From the foregoing, OETC has adequately shown that the Cashalo
app users are informed of the purposes of the processing of
their personal information through its Privacy Policy and pop-up
notification boxes in the Cashalo app.117

In its Privacy Policy, the user is notified of the purposes for collection
of personal data which include the conduct and performance of fraud
monitoring, detection, analysis, and prevention.118 The pop-up boxes
inform the users of the purposes for each application permissions in
a way that is specific, plain, and unambiguous.119

In its Compliance dated 03 September 2021, OETC updated the

Cashalo app with the access to contacts and location permission
no longer requested even for KYC, fraud prevention, and credit
scoring.120 In inputting character references, the user can manually
input the contact number of his or her character reference.121 Also, for
location data, even if the user denies the permission, the application
would still proceed to function.122 However, the user has the option

116 National Privacy Commission, Implementing Rules and Regulations of the Data Privacy Act of 2012, rule IV, § 18(a)
(2016).
117 See Position Paper dated 23 July 2021 of Oriente Express Techsystem Corporation, Annexes “2”- Privacy Policy
dated 25 May 2021, “2-A”- Privacy Policy dated 27 October 2020, “3-A”- screenshot of pop-up notices.
118 Id. , ¶ 10.
119 Id., Annex “3-A”.
120 Compliance [Re: Order dated 26 August 2021] dated 03 September 2021 of Oriente Express Techsystem
Corporation, ¶ 2; See also Annex “1” and Annex “2”.
121 Id., ¶ 2.2.
122 Id., ¶ 4.

DECISION - NPC SS 21-005 237

 NPC SS 21-005
Decision
Page 19 of 31

to allow access to location data to avail of services such as locating

the nearest payment center.123

Through the exchange of pleadings and clarificatory hearing, OETC

addressed the issues found in its Privacy Policy and clarified its
provisions, namely:

1. The Privacy Policy has already been revised and clarified to

remove any mention of data being shared by OETC to third
parties for marketing purposes.124

2. With regard to the provision which states that, “once

information is provided, changes may no longer be allowed x
x x,” Cashalo app users are now allowed to initiate requests to
rectify or erase their personal data in the Cashalo app itself.
Users can exercise these rights either via email or in the app,
which is also made clear in the Privacy Policy. 125

3. With respect to the provision stating that “the applications and

all supporting documents and any other information obtained
relative to this application shall be used by and communicated
to OETC and shall remain its property whether or not my
credit score is determined, or the loan is granted,” OETC has
already removed it since OETC’s ownership of personal data
was never the intention of the afore-stated statement.126

4. The Privacy Policy has also expressly stated that third-party

individuals shall not be considered co-makers of loans and no
payment will be collected from them. Further, it also states that
there shall be no attempt to collect from or enforce against
third-party individuals for payment collection or remedial
measures.127

123 Id., ¶ 6.
124 Compliance by OETC dated 10 December 2021, ¶ 2.1.
125 Id., ¶ 2.2.
126 Id., ¶ 2.3.
127 Id., ¶ 2.5.

238 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 20 of 31

The Commission notes OETC’s efforts in implementing its remediation

measures for Cashalo’s Privacy Policy, and in complying with the
Commission’s orders to enhance how Cashalo app users know the
nature, purpose, and extent of the processing of their personal data.
To be clear, remediation measures do not cure liabilities under the
DPA that have already incurred. Nevertheless, the Commission finds
that Cashalo has adequately shown that it informed its users of the
processing through its Privacy Policy and pop-up notifications. Thus,
in totality, OETC has provided sufficient evidence that it upholds the
transparency principle.

In terms of legitimate purpose, the CID argued that OETC did not
uphold this principle since the Privacy Policy was presented without
an opportunity for data subjects to make an informed choice.128 The
CID reasoned that “[f]or data subjects to avail of [OETC’s] services,
they have no choice but to accept the terms and conditions
provided by [OETC]. Otherwise, data subjects cannot proceed with
the processing to obtain a loan. This act of [OETC] is misleading and
inherently unfair.”129

Further, the CID also claimed that the Cashalo app can access and
store personal information of the data subjects including their phone
contacts. CID argued that such storing of phone contacts is not
related to the fulfillment of the loan transaction with the borrower,130
thus, violating Sections 11, 12, 13, and 16 of the DPA.

OETC disputed the CID’s characterization and claims that consent

was validly acquired, and that there were legitimate purposes for
the processing of its users’ personal data.131 The processing of the
personal data of the users were based on legitimate purpose, i.e.,
for anti-fraud assessment, credit assessment, risk underwriting
and assessment, transaction processing, and regulatory reporting,
among others. 132

128 Fact-Finding Report of the Complaints and Investigation Division, at p. 12.

129 Id.
130 Id., at p.13.
131 Position Paper dated 23 July 2021 of Oriente Express Techsystem Corporation, pp. 2-3.
132 Id.

DECISION - NPC SS 21-005 239

 NPC SS 21-005
Decision
Page 21 of 31

Section 11 of the DPA provides for the General Data Privacy Principles
and specifically states that:

SEC. 11. General Data Privacy Principles. – The processing of personal

information shall be allowed, subject to compliance with the requirements
of this Act and other laws allowing disclosure of information to the public
and adherence to the principles of transparency, legitimate purpose and
proportionality.

Personal information must be:

(a) Collected for specified and legitimate purposes determined and

declared before, or as soon as reasonably practicable after collection, and
later processed in a way compatible with such declared, specified and
legitimate purposes only; (Emphasis supplied)133

Moreover, Section 18 (b) of the IRR provides that in adhering with

the principle of legitimate purpose, “the processing of information
shall be compatible with a declared and specified purpose which
must not be contrary to law, morals, or public policy.”134

To reiterate, OETC’s stated purpose for processing information is

for anti-fraud assessment, credit assessment, risk underwriting
and assessment, transaction processing, and regulatory reporting,
among others.135 The CID itself, in its FFR, noted OETC’s purposes
found in the Privacy Policy:

While the term ‘legitimate business purpose’ is too general, the Privacy
Policy provided the examples of determining credit score and providing
a loan. But in the ‘Use/Purpose of Personal Data’ portion of the Privacy
Policy, it further provides that borrower’s Personal Data shall be processed,
collected, used, disclosed, stored and retained for the following purposes,
including to facilitate loan processing from application, review, monitoring,
payment, collection and other remedial measures.136

133 Data Privacy Act of 2012, chapter II, § 11(a).

134 IRR of the DPA, § 18(b). 2
135 Position Paper dated 23 July 2021 of Oriente Express Techsystem Corporation, p. 3.
136 Fact-Finding Report of the Complaints and Investigation Division, at p. 13.

240 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 22 of 31

A lending or financing company, like OETC, is not prohibited from

processing information for purposes such as preventing fraud,
determining credit worthiness, or collecting debt, provided that it
be within the bounds of law and related issuances of the DPA.137

Further, OETC purposes for processing were determined and

declared from the outset. When users click the “Sign Up” button in
the Cashalo app, they cannot proceed without scrolling through the
Privacy Policy and Cashalo’s Terms of Service.138 Thus, the ”Accept”
button remains to be greyed-out and unclickable “unless and until
the users have scrolled to the bottom of the [Privacy Policy]”.139

OETC clarified in its updated Privacy Policy that the “contact

number/s” it collects is that of the users, with the phone book of
the user’s device never used for collection and other remedial
measures.140 Further, access to contacts is no longer requested in
the Cashalo app even for KYC, fraud prevention, and credit scoring.141

The CID characterized Cashalo’s Privacy Policy as being “misleading

and inherently unfair” since users have no choice but to accept it to
use the app.142 The CID points to this as a badge of vitiated consent.
The Commission is not persuaded by CID’s reasoning. Cashalo’s
Privacy Policy may be considered a contract of adhesion. When
“one party imposes a ready-made form of contract on the other,
[this] is not strictly against the law.”143 The Supreme Court has stated
that “[a] contract of adhesion is as binding as ordinary contracts, the
reason being that the party who adheres to the contract is free to
reject it entirely.”144 In other words, users are free to accept or reject
the terms of the Privacy Policy. Users who accept are deemed to
have given their consent freely. The CID failed to provide other proof
or adequate reasoning of the users’ lack or impairment of consent.

137 See National Privacy Commission, Guidelines on the Processing of Personal Data for Loan-related Transactions,
NPC Circular 20-01 (14 September 2020).
138 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶ 29.
139 Id.
140 Id., ¶ 23.3.
141 Id., ¶ 41.
142 Fact-Finding Report of the Complaints and Investigation Division, at p. 12.
143 Cabanting v. BPI Family Savings Bank, Inc., G.R. No. 201927, 17 February 2016.
144 Id. (Emphases supplied.)

DECISION - NPC SS 21-005 241

 NPC SS 21-005
Decision
Page 23 of 31

From the records, the Commission finds that OETC has sufficiently
shown that its Privacy Policy and pop-up notices adequately informed
its users on the purposes for collection of personal data and that the
stated purposes are not contrary to law, morals, or public policy.145
Further, since OETC has sufficiently proven that consent was validly
obtained and the purposes for processing were not illegal, OETC did
not violate the principle of legitimate purpose.

Lastly, in terms of proportionality, the CID submitted that the “use of

the following dangerous permissions to access the Phone, Location,
Storage, and Camera, in its application, violates the principle of
proportionality, as it is excessive and unnecessary in fulfilling its
purpose of collecting on the data subject’s account or collecting the
delinquent account.”146

OETC countered that the Cashalo app requires user-granted

permission to access the phone’s contact list only for valid legitimate
purposes, such as fraud prevention. 147 As “[OETC] is involved in the
online lending business, its continued existence heavily depends on
the calculated trust they can extend to its users/borrowers.”148

Rule IV, Section 18(c) of the DPA’s IRR states:

Proportionality. The processing of information shall be adequate, relevant,

suitable, necessary, and not excessive in relation to a declared and

specified purpose. Personal data shall be processed only if the purpose of

the processing could not reasonably be fulfilled by other means.149

145 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶ 30.
146 Memorandum dated 16 May 2022 of the Complaints and Investigation Division, at p. 5.
147 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶ 141.
148 Position Paper dated 23 July 2021 of Oriente Express Techsystem Corporation, ¶ 126.
149 Implementing Rules and Regulations of the Data Privacy Act of 2012, rule IV, § 18(c).

242 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 24 of 31

The proportionality principle is adhered to “when the processing is

the least intrusive measure to achieve its purported aims.”150

The Commission finds that OETC has sufficiently proven that the
permission and processing of personal data are adequate, necessary,
suitable and not excessive to its declared purpose.

When users apply for a loan through the Cashalo app by clicking
the “Apply Now” button, users are prompted with pop-up boxes to
allow the app “access to the mobile phone’s camera, photos, and
location”, with separate pop-up boxes per request.151 The Cashalo
app requires the camera and media permissions as part of KYC
processes.152 The camera permission is used for identity verification
and the media gallery is accessed for the user to upload supporting
documents such as proofs of billing, certificates of employment, and
the like.153 The Commission finds that the processing is relevant
and necessary to OETC’s declared and specified purpose. Based
on the records, there was also no substantial evidence to show that
the processing was excessive, or that it could reasonably be fulfilled
through other means.

Other than its allegations that the permissions are dangerous and
excessive, the CID has not provided substantial evidence that OETC’s
processing is outside the purposes stated or that the processing was
unnecessary. Thus, weighing the two parties’ respective allegations
and evidence, the Commission rules that there is no substantial
evidence to find that OETC violated the proportionality principle.

II. OETC cannot be held liable for the

violation of Section 25 or
Unauthorized Processing of Personal
Information and Sensitive Personal
Information.

150 MNLC vs PXXX Corporation, Decision dated 29 October 2020, at p. 22.

151 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶ 45.
152 Id., ¶ 45.
153 Id.

DECISION - NPC SS 21-005 243

 NPC SS 21-005
Decision
Page 25 of 31

In determining whether a violation of Section 25 of the DPA occurred,

three elements must be established with substantial evidence:

1. The accused processed the information of the data subject;

2. The information processed was personal information or

sensitive personal information;

3. That the processing was done without the consent of the

data subject, or without being authorized under this act or
any existing law.154

The CID argued that OETC violated Section 25 of the DPA since
“[OETC] indeed processed the personal information and sensitive
personal information of all of its borrowers without consent being
validly acquired, and the processing not validly authorized under the
DPA and other existing laws, processing will be unauthorized (sic).”155
The CID particularly points to OETC’s processing of the user’s phone
contact list as unauthorized.156 According to the CID, Cashalo users
did not validly consent in allowing the application’s permissions, and
they were left with no choice but to accept these permissions to use
the application.157 Lastly, CID argued that the access to the users’
contact lists is excessive for the loan application.158

OETC emphasized that “the fact that consent was given by Cashalo
app users is beyond question since…users would not have been able
to proceed with submitting their user profile without providing the
necessary consent to access the user’s phone contacts for purposes
of KYC, fraud prevention, and credit scoring.”159 It also argued that
the CID failed to prove by substantial evidence that the purposes
for the processing of personal data of the Cashalo app users were

154 In Re: FLI Operating ABC Online Lending Application, NPC 19-910, Decision dated 17 December 2020 at p. 17.
155 Memorandum dated 16 May 2022 of the Complaints and Investigation Division, at p.7.
156 Id.
157 Id.
158 Id.
159 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶ 107.

244 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 26 of 31

actually vague.160 The users validly gave their consent by being

sufficiently informed multiple times of the purposes for processing.161

Here, while the first and second requisites are present, the
Commission finds that the third requisite is lacking.

The first element is present since OETC is a personal information

controller (PIC) that processes the personal data of its users through
its Cashalo app. 162

The second element is also present since OETC collects a user’s full
name, permanent and residential address, contact number/s, email
address, birth date and/or age, gender, employment information,
financial capacity information bank account details, credit card
and/or financial account information, financial history and details of
government-issued identifications, among other personal data.163
The personal data collected from Cashalo’s users are considered
personal information and sensitive personal information.

The third and last element requires that the processing was done
without the consent of the data subject or without authority under
the DPA or any existing law.164 The CID failed to prove the presence
of this element.

To recall, consent is one of the bases for lawful processing. Sections

12 and 13 of the DPA provide that:

SEC. 12. Criteria for Lawful Processing of Personal Information. – The

processing of personal information shall be permitted only if not otherwise
prohibited by law, and when at least one of the following conditions exists:

160 Id., ¶ 104.

161 Id., ¶ 123.
162 See Data Privacy Act of 2012, § 3(h).
163 Position Paper dated 23 July 2021 of Oriente Express Techsystem Corporation, Annexes “2”- Privacy Policy
dated 25 May 2021, “2-A”- Privacy Policy dated 27 October 2020.
164 An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for This Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173, chapter II, § 7 (2012).

DECISION - NPC SS 21-005 245

 NPC SS 21-005
Decision
Page 27 of 31

(a) The data subject has given his or her consent;

xxx

SEC. 13. Sensitive Personal Information and Privileged Information. – The

processing of sensitive personal information and privileged information
shall be prohibited, except in the following cases:

(a) The data subject has given his or her consent, specific to the purpose
prior to the processing, or in the case of privileged information, all parties
to the exchange have given their consent prior to processing;165

As discussed, the Privacy Policy may be considered a contract of

adhesion, which is not illegal in this jurisdiction. The case of Encarnacion
Construction & Industrial Corp. v. Phoenix Ready Mix Concrete Development
& Construction, Inc. explains the concept of a contract of adhesion:

A contract of adhesion is one wherein one party imposes a ready-made

form of contract on the other. It is a contract whereby almost all of its
provisions are drafted by one party, with the participation of the other
party being limited to affixing his or her signature or “adhesion” to the
contract. However, contracts of adhesion are not invalid per se as they
are binding as ordinary contracts. While the Court has occasionally struck
down contracts of adhesion as void, it did so when the weaker party has
been imposed upon in dealing with the dominant bargaining party and
reduced to the alternative of taking it or leaving it, completely deprived
of the opportunity to bargain on equal footing. Thus, the validity or
enforceability of the impugned contracts will have to be determined by
the peculiar circumstances obtained in each case and the situation of the
parties concerned.166(Emphasis supplied)

For the Commission to find that the users’ consent to Cashalo’s

Privacy Policy was not validly obtained, the CID must not just allege,
but provide substantial evidence, that the users who consented to

165 Data Privacy Act of 2012, chapter II, §§ 12-13.

166 Encarnacion Construction & Industrial Corp. v. Phoenix Ready Mix Concrete Development & Construction, Inc.,
G.R. No. 225402 , 04 September 4, 2017.

246 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 28 of 31

the Privacy Policy were “completely deprived of the opportunity to

bargain on equal footing.”167

On the contrary, OETC has provided adequate proof that users

have already been notified twice of what particular data shall
be processed and the purposes for their processing.168 These
notifications are given at the earliest stage and even prior to the
commencement of any processing.169 In relation to consent, there is
a natural presumption that “one does not sign a document without
first informing himself of its contents and consequences.”170 The
CID failed to refute this presumption. Moreso, the CID also failed to
prove that there was unauthorized processing that would warrant a
violation under Section 25 of the DPA.

The CID also failed to prove that the OETC’s processing of personal
data was violative of the DPA or any other law. As discussed, the
Commission cannot find that OETC particularly violated the general
data privacy principles of transparency, legitimate purpose, and
proportionality found in the DPA. The CID has also not sufficiently
argued that OETC violated any other provision in the DPA or other
laws.

Further, the Commission finds that the CID failed to prove, with
substantial evidence, that the Cashalo app has accessed data stored
in the mobile phone of its users, particularly the user’s contact
list, and that this processing was particularly unauthorized under
the DPA or any other law. As the Supreme Court emphasized in
Government Service Insurance System v. Prudential Guarantee, “it is
basic in the rule of evidence that bare allegations, unsubstantiated
by evidence, are not equivalent to proof. In short, mere allegations
are not evidence.”171

167 Id.
168 Position Paper Ad Cautelam dated 23 July 2021 of Oriente Express Techsystem Corporation, ¶¶ 7-13.
169 Id., ¶ 9.
170 Encarnacion Construction & Industrial Corp. v. Phoenix Ready Mix Concrete Development & Construction, Inc.,
G.R. No. 225402 , 04 September 4, 2017.
171 G.R. No. 165585, 20 November 2013.

DECISION - NPC SS 21-005 247

 NPC SS 21-005
Decision
Page 29 of 31

Thus, OETC and its responsible officers cannot be held liable for
Section 25 of the DPA.

III. There is no substantial evidence to find that OETC violated Section

3(D)(4) of NPC Circular No. 20-01.

Section 3(D)(4) of NPC Circular No. 20-01 states:

SECTION 3. Guidelines. — The processing of personal data for

evaluating loan applications, granting loans, collection of loans, and
closure of loan accounts shall be subject to the following general
guidelines:

xxx

D. Where online apps are used for loan processing activities, LCs,
FCs, and other persons acting as such shall be prohibited from
requiring unnecessary permissions that involve personal and
sensitive personal information.

xxx

4. Access to contact details in whatever form, such as but not limited

to phone contact list or e-mail lists, the harvesting of social media
contacts, and/or copying or otherwise saving these contacts for use
in debt collection or to harass in any way the borrower or his/her
contacts, are prohibited. In all instances, online lending apps must
have a separate interface where borrowers can provide character
references and/or co-makers of their own choosing.172

The CID argued that OETC violated NPC Circular No. 20-01 since
there were dangerous permissions in the Cashalo app (Phone,
Location, Storage, and Camera).173 Further, with regard to OETC’s
alleged processing of the user’s phone contact list for debt collection,
the CID claimed that this was a prohibited activity that violated the
Circular.174

172 NPC Circular 20-01, § 3(D)(4) (14 September 2020).

173 Memorandum dated 16 May 2022 of the Complaints and Investigation Division, at p.5.
174 Id., at p. 7.

248 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC SS 21-005
Decision
Page 30 of 31

OETC countered that the CID’s allegations were unsubstantiated

by evidence. Further, the access to contact lists were for fraud
prevention, credit assessment, and KYC.175 This can be proven by
the various pop-up boxes notifying the user about the purposes for
data processing.176

After weighing the claims and proof of both parties, the Commission
finds that there is a lack of substantial evidence to conclude that
OETC violated Section 3(D)(4) of NPC Circular No. 20-01.

In CID’s Supplemental Technical Report dated 14 May 2021, the CID

admitted that “since data transmissions using API are secured, it is
difficult to determine if the Cashalo application actually transmits
the data to a remote database.”177 The CID explained that “what
the phrase means is that it is difficult to determine what data the
application is transmitting.”178 Thus, there is insufficient evidence on
record for CID to support its claims about dangerous permissions.
On the other hand, as discussed, OETC has provided adequate
proof that it has not been accessing its users’ contact lists for debt
collection or harassment. It has also shown that it has made relevant
changes in its Privacy Policy, and application, to better align with
NPC Circular 20-01.179

The CID has not proven that OETC accessed the contact list for
unlawful purposes. In any event, OETC has provided proof that its
latest version already removed access to a user’s contact list, even
for KYC, and there is a separate interface for users to input their
character reference.180

In summary, the CID has failed to prove with substantial evidence

that OETC and its responsible officers: 1) failed to adhere to the

175 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶ 145.
176 Id.
177 Supplemental Technical Report dated 14 May 2021 of the Complaints and Investigation Division, ¶ 15.
178 Comment/Opposition (to Respondent’s Position Paper dated 23 July 2021) dated 13 August 2021 of the
Complaints and Investigation Division, ¶ 10. (Emphasis supplied)
179 Memorandum dated 17 May 2022 of Oriente Express Techsystem Corporation, ¶ 139.
180 Id., ¶ 170.

DECISION - NPC SS 21-005 249

 NPC SS 21-005
Decision
Page 31 of 31

general data privacy principles, 2) violated Section 25 of the DPA,

and 3) violated Section 3(D)(4) of NPC Circular 20-01.

WHEREFORE, premises considered, the Fact-Finding Report with

Application for the Issuance of a Temporary Ban against Oriente
Express Techsystem Corporation (Cashalo) is hereby DISMISSED.

SO ORDERED.

City of Pasay, Philippines.

16 June 2022.

Sgd.
JOHN HENRY D. NAGA
Privacy Commissioner

WE CONCUR:
Sgd.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

Sgd.
DUG CHRISTOPER B. MAH
Deputy Privacy Commissioner

Copy furnished:

CMT
Counsel for Respondent

COMPLAINTS AND INVESTIGATION DIVISION

ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission

250 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC DECISION 251
252 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 253
254 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 255
256 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 257
258 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 259
260 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 261
262 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 263
264 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 265
266 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 267
268 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 269
270 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 271
272 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 273
274 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 275
276 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 277
278 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 279
280 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 281
282 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 283
284 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 285
286 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 287
288 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 289
290 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 291
292 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 293
294 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 295
296 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 297
298 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 299
300 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 301
302 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 303
304 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 305
306 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 307
308 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 309
310 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 311
312 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 313
314 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 315
316 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 317
318 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 319
320 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 321
322 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 323
324 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 325
326 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 327
328 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 329
330 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 331
332 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 333
334 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 335
336 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 337
338 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 339
340 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 341
342 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 343
344 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 345
346 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 347
348 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 349
350 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 351
352 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 353
354 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 355
356 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 357
358 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 359
360 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 361
362 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 363
364 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 365
366 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 367
368 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 369
370 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 371
372 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 373
374 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 375
376 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 377
378 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 379
380 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 381
382 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 383
384 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 385
386 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 387
388 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 389
390 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 391
392 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 393
394 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 395
396 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 397
398 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 399
400 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 401
402 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 403
404 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 405
406 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 407
408 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 409
410 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 411
412 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 413
414 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 415
416 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 417
418 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 419
420 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 421
422 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 423
424 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 425
426 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 427
428 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 429
430 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 431
432 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 433
434 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 435
436 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 437
438 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 439
440 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 441
442 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 443
444 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 445
446 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 447
448 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 449
450 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 451
452 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 453
454 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 455
456 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 457
458 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 459
460 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 461
462 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 463
464 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 465
466 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 467
468 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 469
470 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 471
472 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 473
474 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 475
476 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 477
478 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 479
480 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 481
482 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 483
484 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 485
486 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 487
488 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 489
490 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 491
492 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 493
494 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 495
496 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 497
498 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 499
500 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 501
502 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 503
504 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 505
506 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 507
508 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 509
510 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 511
512 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 513
514 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 515
516 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 517
518 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 519
520 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 521
522 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 523
524 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 525
526 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 527
528 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 529
530 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 531
532 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 533
534 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 535
536 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 537
538 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 539
540 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 541
542 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 543
544 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 545
546 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 547
548 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 549
550 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 551
552 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 553
554 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 555
556 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 557
558 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 559
560 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 561
562 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 563
564 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 565
566 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 567
568 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 569
570 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 571
572 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 573
574 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 575
576 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 577
578 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 579
580 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC DECISION 581
582 THE 2022 COMPENDIUM OF NPC ISSUANCES
DECISION - NPC SS 21-005 583
 NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 1 of 12

CL,

NPC Case No. 19-030

Complainant,

RESOLUTIONS
-versus- NPC No. 19-030
(formerly CID Case No. 19-A-030)
For: Violation of the Data Privacy Act of 2012

CL, DDZ,
Respondent.
x----------------------------------------------------x

DM,
Complainant,
-versus- NPC No. 19-132
(formerly CID Case No. 19-B-132)
For: Violation of the Data Privacy Act of 2012

DDZ,
Respondent.
x----------------------------------------------------x

Resolution

NAGA, P.C.;

For consideration of the Commission is the Motion for Reconsideration

dated 11 September 2021 filed by CL and DM (Complainants) on
the Decision dated 10 June 2021 which dismissed their Complaints
against DDZ (Respondent) for lack of merit.

Facts

The Commission issued a Decision dated 10 June 2021, dismissing

the Complaints filed by CL and DM, with the following dispositive
portion:

WHEREFORE, all premises considered, this Commission resolves that the

instant Complaints filed by CL and DM are hereby DISMISSED for lack of
merit.

584 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 2 of 12

SO ORDERED.1

Complainants filed a Motion to Suspend the Period of Filing of

Pleadings dated 13 August 2021, seeking for the application of the
Supreme Court Administrative Circular No. 56-2021 (SC Circular).2
On 02 September 2021, the Commission issued an Order denying
the Motion to Suspend the Period of Filing of Pleadings. However, in
the Order, the Commission granted Complainants a non-extendible
period of five (5) days upon receipt of the Order to make the filing
and service of necessary pleadings and motion.3

On 07 September 2021, Complainants filed a Manifestation that

since the fifth day of the period it was given in the Order fell on 11
September 2021, a Saturday, they had until 13 September 2021 to
submit their Motion for Reconsideration (Motion).4

On 13 September 2021, Complainants filed their Motion dated 11

September 2021.

In their Motion, Complainants stated that it is not clear how

Respondent obtained a copy of their personal files and closed-circuit
television (CCTV) footages of the MVP worksite.5 Complainants
argued that Respondent readily proposed that he obtained it from
SM and DMV through a legitimate request. However, no evidence
was presented to show that such request was made. Further, the
letter-request was omitted and no affidavit from SM and DMV was
presented.6

Complainants then stated that no request appears in the records

of the MVP office and that they were never informed that such
request was processed by SM and DMV.7 Moreover, Complainants
argued that they made the averment related to the database break-
in by Respondent in their Complaints because they are unaware of

1 Decision, 10 June 2021 at p. 10. NPC 19-030 and NPC 19-132.

2 Id. at p. 2.
3 Order dated 02 September 2021.
4 Id at p. 3.
5 Motion for Reconsideration dated 11 September 2021. At. p. 3.
6 Id.
7 Id.

RESOLUTION - CL AND DM VS DDZ 585

 NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 3 of 12

any purported request for copies of their passports made to the

responsible officers of MVP.8

Complainants further submits that Respondent is not a public

authority, did not act under compulsion by order of such public
authority, and that the passports were not essential to the prosecution
of any of Respondent’s claims.9

Complainants, being aware of Respondent’s allegation that the

passports were obtained through a valid request from the previous
officers of MVP, the said corporation through its authorized
representative, AR instituted a Complaint dated 11 September 2020
against SM, DMV, and DDZ.10

Complainants stated that such Compliant was received and duly

acknowledged by the Commission’s Complaints and Investigation
Division (CID).11 However, despite the acknowledgement of receipt
and promise to review the Complaint, it remains to be undocketed
and has not been acted upon by the Commission.12

Complainants filed a Motion to Consolidate on 16 December 2020.

Additionally, they stated that more than two (2) months have passed
without any Resolution on the Motion, they filed a Motion to Resolve
on the issue of consolidation dated 24 February 2021.13 However,
according to Complainants, the Commission did not act on these
two (2) pending Motions and that it seems that the pending Motions
and verified Complaint filed by MVP were not considered when the
Commission rendered the Decision dated 10 June 2021.14

Complainants emphasized that the consolidation of the cases

are important since it would expedite the resolution of the issue.
Complainants added “if the cases were consolidated, DMV and
SM could have been summoned and shed light on the factual

8 Id.
9 Id.
10 Id. at p. 5.
11 Id.
12 Id.
13 Id.
14Id.

586 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 4 of 12

circumstances claimed by Respondent DDZ.”15 Further, they stated

that the proper resolution of this case will be incomplete, unfair, and
unjust since SM and DMV are not allowed to be made part of the case
and that the situation calls for a proper remand for investigation.16

On Respondent’s reliance on Section 13(f) of the Data Privacy Act

(DPA) of 2012, Complainants argued that attaching the passports
to Respondent’s Complaint-letter was not necessary since
Complainants being Australian citizens without working visas is
not relevant to the criminal and labor cases then existing.17 The
nationality or citizenship is also neither an essential element of the
crimes mentioned nor would constitute part of the labor case for
dismissal. Complainants argued that the virtual nexus between
Respondent and Complainants with regard to the contents of the
passports does not exist and therefore fail the test provided by NPC
Case No. 17-018.18

Moreover, according to Complainants it was Respondent, together

with his cohorts, SM and DMV, who should be guilty of theft of
Complainants’ sensitive personal information.19

Complainants also stated that the Office of the Prosecutor,

Department of Labor and Employment (DOLE), Clark Development
Corporation (CDC), and the Bureau of Immigration (BI) did not ask
for the documents.20

The exemption in processing sensitive personal data only applies

to the Government entities as part of their function which cannot
be said on the part of Respondent since he is not public office or
functionary and thus, cannot claim such exemption as a privilege.21
Complainants cited Section 19 of the DPA which states that “the
personal information shall be held in strict confidentiality and shall
be used only for the declared purpose”, but since Complainants’
have not seen a copy of Respondent’s request, they do not know

15 Id. at p. 6.
16 Id.
17 Id at p. 7
18 Id.
19 Id. at p. 8.
20 Id. at. p. 9
21 Id. at p. 10

RESOLUTION - CL AND DM VS DDZ 587

 NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 5 of 12

for what purpose his request was made.22 Further, they argued that
there is no transparency in the processing of their sensitive personal
information.

Moreover, Complainants stated “the Personal Privacy Controller

[sic] of the MVP is not even aware that a request was made by
Respondent.”23 According to Complainants, it was SM and DMV who
processed the sensitive personal information, without informing the
data subjects and without authority to do so. Complainants stated
that DDZ, SM, and DMV connived to steal their sensitive personal
information for a malicious purpose.24

Complainants stated that there is also no legitimate purpose since

Respondent did not provide the request made to MVP which
shall state the purpose of processing. Further, there is also no
proportionality since the information processed was already with
the agencies concerned or within the grasp of government agencies,
Respondent cannot borrow government’s rights and privileges.25
According to Complainants, Respondent should provide the evidence
of the valid request for processing the information. Respondent has
the burden of proving, as a matter of defense, that he is within the
exception in the statute creating the offense. Complainants stated
that like all matters of defense, the burden of establishing such claim
is on the party relying or invoking it.26

They stated that there is no evidence to support Respondent’s

supposed claim of a valid request existed. However, there is ample
evidence that there were no requests appearing in the MVP records.27

Based on the Data Protection Officer (DPO) report by Atty. EV, the
internal investigation shows that no consent was obtained from the
management for the release of Complainants’ documents. There are
also no copies of the request claimed by Respondent in the files of
MVP.28 Complainants alleged that the intrusion to the data banks of

22 Id. at p. 11.
23 Id. at. p. 12.
24 Id. at p. 13
25 Id.
26 Id. at p.14.
27 Id. at p. 17.
28 Id. at p. 17-18.

588 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 6 of 12

MVP was accomplished in connivance with SM and DMV since they

have access even without authority and without informing the data
subjects of the processing.29

Further, if a valid request exist, it is within the capacity of Respondent

to produce a copy of such request.30

Complainants prayed then that: (a) Decision dated 10 June 2021 be

reconsidered and appropriate remedies and penalties be imposed
against Respondent DDZ; and (b) Alternatively, that the cases be
consolidated with the undocketed case filed by MVP as the issues
are intimately related to each other. Should the Commission deem
it fit and proper, to remand the case for proper determination with
proper issuance of summons to DMV and SM so they can be held
responsible for the violation of the DPA.31

On 17 September 2021, the Commission issued an Order, ordering

Respondent DDZ, to file a Comment on the Motion for Reconsideration
dated 11 September 2021 filed by Complainants and to submit the
same within fifteen (15) days from receipt of the Order.32

On 22 October 2021, Respondent filed a Motion to Admit Comment

together with his Comment.33

In his Comment, Respondent argued that Complainants’ arguments

in their Motion are trivial and inconsequential and do not affect the
substantial and material discussions of the Commission.34

According to Respondent, Complainants attached as Annex “A” in

their Motion, a purported complaint which is totally unrelated to the
case decided by the Commission and deserves no consideration to
the resolution of the said Motion.35

29 Id. at p. 18.
30 Id.
31 Id. at p. 20.
32 Order dated 17 September 2021.
33 Motion to Admit Comment and Comment dated 22 October 2021.
34 Id. at p. 1.
35 Id.

RESOLUTION - CL AND DM VS DDZ 589

 NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 7 of 12

Respondent also stated that the separate Complaints arose

from the same set of facts, arguments, and evidence. However,
Complainants opted to initiate a Complaint separately to harass and
vex Respondent.36 Further, Respondent stated “the undocketed
Complaint attached as Annex “A”, also falls to the same malicious
story. These only proved Respondent’s claim that the instant cases
were filed to unjustly annoy Respondent.”37

Respondent reiterated his allegations that the Complaints were

being utilized by Complainants to have leverage over Respondent’s
labor case. Since the Labor Arbiter ruled in favor of Respondent
on the said labor case, Respondent stated that Complainants will
hardly but uselessly pursue these cases, or any other cases against
Respondent to get even.38

In addition, Respondent stated that not only that the Complaints

were vexatious, but also absurd. According to Respondent, first,
Complainants themselves disclosed their passport information with
the Commission when they filed their Complaints.39 Second, following
to their line of thinking, Complainants are guilty of the same charge
of violation of the DPA considering that they disclosed sensitive
personal information of Respondent, particularly his Alien Certificate
of Registration as attachment to their Complaints.40

On Complainants’ allegation that he broke into MVP’s database,

Respondent stated that Complainants solely relied on surmises
and conjectures which are wholly unsupported by legal and factual
bases.41

Respondent argued that like any other cases, Complainants have

the burden of proof to show that Respondent violated the DPA.42
He further stated that Complainants failed to provide substantial
evidence that Respondent knowingly and unlawfully broke into
MVP’s database. Complainants also did not show that there was
an actual storage of scanned copies of passports. Moreover, the

36 Id. at p. 2
37 Id.
38 Id.
39 Id.
40 Id.
41 Id.
42 Id. at p. 3.

590 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 8 of 12

facilities of MVP are covered by CCTV cameras but Complainants

did not attach video clip or screen capture to prove their claims.43
Respondent stated that he fully subscribe to the findings of the
Commission that he cannot be held liable for the violation of Section
29 of the DPA (Unauthorized Access or Intentional Breach).44

Further, Respondent stated that he agrees to a certain extent on

Complainants’ allegations that passport contains personal and
sensitive personal information.45 However, he reiterated that such
information is excluded from the coverage of the DPA pursuant to
Section 4(e) of the DPA. Additionally, he stated that the processing
of information contained in the passport is permitted under Section
12(e) and (f) of the DPA, and exempted under Section 13(e) of the
DPA.46

He also reiterated that the information of Complainants were

necessary in order for the government agencies to perform their
statutorily mandated functions.47

Moreover, Respondent stated “Complainants argued that

Respondent’s processing of information were not exempted since
it was not ‘necessary’ to protect his claim or interest. Complainants
argued that the word ‘necessary’ connotes that the sensitive
information that was processed should be needed to protect the
claim or interest of the party using that information. However, the
exemption that Respondent and the Honorable Commission pointed
out is found under the phrase ‘or when provided to government or
public authority’ of Section 13(f). ”48

He also stated that he only processed Complainants’ information

with the government agencies which were tasked to enforce laws
and protect lawful rights and interests of natural or legal persons,
the Philippine Government, and the Filipino citizens.v

Respondent stated that his legitimate interest was to report the

illegal acts of Complainants, and although he is not a Personal
Information Controller (PIC), his processing is permitted as a “third

43 Id. at p. 4
44 Id. at p. 4 to 5.
45 Id. at p. 5.
46 Id.
47 Id. at p. 7.
48 Id.
49 Id.

RESOLUTION - CL AND DM VS DDZ 591

 NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 9 of 12

party” pursuant to Section 13(f) of the DPA.50 Further, Respondent

stated that he processed the information in good faith pursuant to
his moral obligation to promptly report on what he believes is an
illegal act under Philippine Laws.51

Respondent prays that Complainants’ Motion for Reconsideration

dated 11 September 2021 be denied for the lack of merit.52

Issues

Whether the Motion for Reconsideration dated 11 September 2021

on the Decision dated 10 June 2021 filed by Complainants should be
granted.

Discussion

The Commission partially grants the Motion for Reconsideration filed

by Complainants.

The Commission finds that in order to properly resolve the case, it shall
first solely focus on the procedural issues raised by Complainants.
The Commission shall not delve on the substantive issues raised
by both parties in their respective pleadings until such time that
Complainant’s pending Motions have been properly resolved.

In its Motion, Complainants stated that MVP, through its authorized

representative, AR, instituted a Complaint dated 11 September
2020 against SM, DMV, and DDZ which was received and duly
acknowledged by the Commission’s CID. Complainants attached in
their Motion as Annex “A”, the copy of the Complaint.53 They also
attached as Annex “B”, the copy of CID’s email stating that the
Complaint has been received and will be reviewed shortly.54

50 Id. at p.7 to 8.
51 Id. at p. 8 to 9.
52 Id. at p. 9
53 Motion for Reconsideration dated 11 September 2021. At p. 23.
54 Id. at p. 52.

592 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 10 of 12

Also, a Motion to Consolidate was filed by Complainants on 16

December 2020 stating that their Complaints and the Complaint
filed by MVP contains issues are intimately related to each other.
Additionally, since the Commission has yet to issue a resolution on
the Motion to Consolidate, Complainants filed a Motion to Resolve
on the issue of consolidation dated 24 February 2021.

However, Complainants stated that the Commission did not act

on these two (2) pending Motions and that the pending Motions
and verified Complaint filed by MVP were not considered when the
Decision dated 10 June 2021 was rendered.55

In terms of procedural issues, the resolution of the Motion to

Consolidate and Motion to Resolve is a material fact that needs to be
considered by the Commission. Further, the Commission notes that
addressing the pending Motions filed by Complainants is imperative
in the holistic resolution of the case, given that the Complaints filed
by CL and DM and the Complaints filed by MVP are alleged to have
similar and interrelated issues that must be reviewed and resolved
by the Commission.

Moreover, in this case, the Commission deems that the proper

resolution of the pending Motions shall be addressed by the
Commission. Thus, the Commission finds that the Motions filed by
Complainants shall be remanded to the Complaints and Investigation
Division (CID) of the Commission to resolve whether the Complaints
filed may be consolidated, as allowed by Section 7 of the NPC
Circular No. 2021-01 (2021 NPC Rules of Procedure), viz:

SECTION 7. Consolidation of cases. – Except when consolidation would

result in delay or injustice, the NPC may, upon motion or in its discretion,
consolidate two (2) or more complaints involving common questions of
law or fact and/or same parties.56

Further, the Commission shall await for the Resolution of the

CID on the pending Motions filed by Complainants before fully

55Id.
56 Section 7 of the NPC Circular No. 2021-01

RESOLUTION - CL AND DM VS DDZ 593

 NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 11 of 12

deciding on Complainants’ Motion including its substantive issues.

Hence, the Commission partially grants Complainants’ Motion for
Reconsideration.

As to the Motion to Admit Comment and the attached Comment

dated 22 October 2021 filed by Respondent, the Commission
notes that Respondent received the Commission’s Order dated 17
September 2021 on 30 September 2021. Therefore, Respondent has
fifteen (15) days from receipt of the Order or until 15 October 2021
to submit his Comment. However, Respondent only submitted his
Comment on 22 October 2021 which is beyond the allowed period.
Hence, it was filed out of time.

Nonetheless, in consideration of substantial justice, the Commission

resolves to admit Respondent’s Motion to Admit Comment and
Comment despite being filed out time.

WHEREFORE, premises considered, this Commission resolves

to PARTIALLY GRANT the Motion for Reconsideration dated 11
September 2021 filed by Complainants CL and DM.

SO ORDERED.

City of Pasay, Philippines.

11 November 2021.

SGD.
JOHN HENRY D. NAGA
Deputy Privacy Commissioner

WE CONCUR:

SGD.
RAYMUND ENRIQUEZ LIBORO
Privacy Commissioner

SGD.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

594 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-030
CL vs DDZ and DM vs DDZ
Resolutions
Page 12 of 12

Copy furnished:

CL
Complainant

DM
Complainant

MJRVLO
Counsel for Complainants

DDZ
Respondent

PMB
Counsel for Respondent

COMPLAINTS AND INVESTIGATION DIVISION

ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission

RESOLUTION - CL AND DM VS DDZ 595

 NPC No. 18-205
In Re: Medicard Philippines, INC.
Resolutions
Page 1 of 7

IN RE: MEDICARD PHILIPPINES, INC.

NPC Case No. 18-205

NPC 18-205

RESOLUTIONS
x----------------------------------------------------x

Resolution

NAGA, P.C.;

This Resolution refers to the compliance of MediCard Philippines,

Inc. (MediCard) to the Resolution dated 10 December 2021.

Facts

On 10 December 2021, the Commission issued a Resolution1 to

MediCard, to wit:

WHEREFORE, premises considered, the request of MediCard

Philippines, Inc. for exemption of notifying the remaining one
thousand two hundred forty-one (1,241) affected data subjects is
hereby DENIED.

Further, MediCard Philippines, Inc. is ORDERED to notify the remaining

affected data subjects that are not yet notified through e-mail based
on the available e-mail addresses in MediCard’s database and at the
same time post the notice couched in general terms on its official
website for faster dissemination of information.

Finally, MediCard Philippines, Inc. shall submit to the Commission

within fifteen (15) days from receipt of this Resolution a compliance
report, which shall include details of notification to the data subjects
(i.e., proof of the email notifications, postings, and their respective
links).

SO ORDERED.2

1 In re: Medicard Philippines Inc., NPC BN 18-205, Resolution dated 10 December 2022, at p. 11.
2 Id.

596 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 18-205
In Re: Medicard Philippines, INC.
Resolutions
Page 2 of 7

On 09 March 2022, in compliance with the Resolution of the

Commission, MediCard posted on its website3 the notice to affected
data subjects, to wit:

Unauthorized Disclosure
09 Mar 2022

We at MediCard Philippines, Inc. protect your privacy seriously and

recognize our duty to take care of our customers whose data we hold. As
such, we take every precaution to ensure that your personal information is
protected at all times while maintaining our transparency to our customers
.
Last October 2018, we reported a data breach to the National Privacy
Commission (NPC) involving a billing statement that was unintentionally
delivered to the wrong company. The notification was made pursuant
to the mandatory data breach notficiation procedure of the NPC.
Unfortunately, data of some AIG Shared Services employees, limited to:
employee number, MediCard ID number, name, and age were exposed in
this data breach.

To validate this, if you have been an active employee of AIG Shared

Services – Business Processing Inc. in October 2018, please access the
following link: https://webportal.medicardphils.com/DataBreachNotice
and enter your Member ID and date of birth.

We sincerely apologize that this has happened, and we want to assure you,
as our valued member, that we have taken steps to prevent a recurrence
of the incident. Also, the company has been in close coordination with the
National Privacy Commission (NPC) to address this.

Should you have clarifications, feel free to reach us by mail at privacy@

medicardphils.com.4

On 15 March 2022, MediCard submitted screenshots of its webpage

posting and its e-mail notifications.5

3 See https://www.medicardphils.com/news-promos-announcements/article/35
4 See Unauthorized Disclosure, available at https://www.medicardphils.com/news-promos-announcements/
article/35, last accessed on 22 June 2022
5 Compliance Report of MediCard Philippines, at pp. 1-2.

RESOLUTION - NPC 18-205 597

 NPC No. 18-205
In Re: Medicard Philippines, INC.
Resolutions
Page 3 of 7

In relation to the e-mail notifications, MediCard submitted its

Compliance dated 15 March 2022 and 25 May 2022. Along with the
25 May 2022 Compliance are the sworn affidavits of FC and JM, the
persons responsible for notifying the affected data subjects through
e-mail.

In Mr. FC’s affidavit, he attested that on 09 March 2022, the e-mail

notification was sent via the email address, [email protected].
com, with the subject: MANDATORY PERSONAL DATA BREACH
NOTIFICATION to a total of three hundred (300) data subjects
following the required e-mail settings: (a) request a read receipt
and (b) request a delivery receipt.6 He was able to send the e-mail
notification to the three hundred (300) e-mail addresses and
the delivery receipts provided were “Delivery to these recipients
or groups is complete, but no delivery notification was sent by
the destination server.”7 Among the three hundred (300) email
notifications, three (3) were not delivered due to “E-mail wasn’t found
at gmail.com”, “E-mail address you entered could not be found”, and
“Your message could not be delivered.”8 Despite repeated attempts
to contact the recipients e-mail system, it did not respond.9

While in Ms. JM’s affidavit, she attested that on 09 March 2022, she
sent an e-mail notification with subject: Mandatory Personal Data
Breach Notification to a total of three hundred and one (301) data
subjects via the email address, [email protected] She
was able to send the e-mail notifications to the three hundred and
one (301) e-mail addresses.11 Some of the delivery receipts stated,
“Delivery to these recipients or groups is complete, but no delivery
notification was sent by the destination server,” while only five (5)
have “read receipts”.12 Among the three hundred one (301) e-mail
notifications, six (6) were identified as “Undeliverable” and with
a “Failure Notice” due to “E-mail wasn’t found at gmail.com” and

6 Affidavit of FC, p. 2
7 Id.
8 Id.
9 Id.
10 Affidavit of JM, p. 2.
11 Id.
12 Id.

598 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 18-205
In Re: Medicard Philippines, INC.
Resolutions
Page 4 of 7

“Delivery has failed to these recipients or groups”.13

Medicard was able to successfully deliver five hundred ninety-two

(592) e-mail notifications out of the total six hundred and one (601)
e-mail addresses available to it. Nine (9) e-mail addresses available
were not delivered for reasons: “E-mail wasn’t found at gmail.com”,
“E-mail address you entered could not be found”, “Your message
could not be delivered”, and “Delivery has failed to these recipients
or groups”.

Discussion

The Commission finds MediCard compliant with the Resolution dated

10 December 2021.

Medicard was able to notify the remaining one thousand two

hundred forty one (1,241) affected data subjects by sending the
notification to the available e-mail addresses of the data subjects14
and by posting the notice on its website.15

Section 18 (C) of NPC Circular 16-03, otherwise known as Personal

Data Breach Management, provides:

C. Content of Notification. The notification shall include, but not be limited

to:

1. nature of the breach;

2. personal data possibly involved;
3. measures taken to address the breach;
4. measures taken to reduce the harm or negative consequences of
the breach; 5. representative of the personal information controller,
including his or her contact details, from whom the data subject can
obtain additional information regarding the breach; and

13 Id.
14 Compliance Report dated 15 March 2022 and Compliance Report dated 25 May 2022
15 Unauthorized Disclosure, available at https://www.medicardphils.com/news-promos-announcements/article/35,
last accessed on 22 June 2022

RESOLUTION - NPC 18-205 599

 NPC No. 18-205
In Re: Medicard Philippines, INC.
Resolutions
Page 5 of 7

6. any assistance to be provided to the affected data subjects. Where it is

not possible to provide the foregoing information all at the same time,
they may be provided in phases without undue delay.16

Medicard’s website notification17 contained the nature of the breach,

the personal data possibly involved, measures taken to address the
breach and reduce the harm or negative consequences of the breach,
such as prevention of recurrence of the incident, and contact details
of the personal information controller. Thus, the website notification
of Medicard sufficiently complied with Section 18(C) of NPC Circular
16-03.

With respect to the e-mail notifications sent to the available e-mail

addresses in its records, Medicard was able to submit its Compliance
dated 15 March 202218 and 25 May 2022.19

According to the Compliance Report dated 25 May 2022, the

affidavits of Mr. FC and Ms. JM stated that nine (9) out of the six
hundred one (601) e-mail address available to MediCard were not
successfully delivered for reasons: “E-mail wasn’t found at gmail.
com”, “E-mail address you entered could not be found”, “Your
message could not be delivered”, and “Delivery has failed to these
recipients or groups.”20

The failure to send e-mail notifications to the remaining nine (9)

data subjects, despite MediCard’s repeated attempts, rendered the
individual e-mail notification impossible.21
Even though there is an impossibility in sending e-mail notifications
to these data subjects, the Commission provides for alternative

16 National Privacy Commission, Personal Data Breach Management, NPC Circular 16-03, rule V, § 18 (C) (15 December
2016) (NPC Circular 16-03).
17 Unauthorized Disclosure, available at https://www.medicardphils.com/news-promos-announcements/article/35,
last accessed on 22 June 2022
18 Compliance Report dated 15 March 2022
19 Compliance Report dated 25 May 2022
20 Affidavit of FC; Affidavit of JM
21 Final Enforcement Assessment Report, 23 June 2022, p. 6

600 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 18-205
In Re: Medicard Philippines, INC.
Resolutions
Page 6 of 7

means of notifying them through NPC Circular No. 16-03 (Personal

Data Breach Management).22

Particularly, Section 18(D) of NPC Circular No. 16-03 allows for

alternative means of notification in which data subjects would be
informed about the personal data breach in an equally effective
manner if individual notification is impossible or would require
disproportionate effort, to wit:

SECTION 18. Notification of Data Subjects. The personal information

controller shall notify the data subjects affected by a personal data breach,
subject to the following procedures:

xxx

D. Form. Notification of affected data subjects shall be done individually,

using secure means of communication, whether written or electronic. The
personal information controller shall take the necessary steps to ensure
the proper identity of the data subject being notified, and to safeguard
against further unnecessary disclosure of personal data. The personal
information controller shall establish all reasonable mechanisms to ensure
that all affected data subjects are made aware of the breach: Provided,
that where individual notification is not possible or would require a
disproportionate effort, the personal information controller may seek the
approval of the Commission to use alternative means of notification, such
as through public communication or any similar measure through which
the data subjects are informed in an equally effective manner: Provided
further, that the personal information controller shall establish means
through which the data subjects can exercise their rights and obtain more
detailed information relating to the breach.23 (Emphasis supplied)

Based on the records, the nine (9) remaining data subjects still could
not be reached despite repeated attempts, and the e-mails could
not be delivered for various reasons.24 Given these circumstances,
the Commission finds that there is an impossibility in individually
notifying these data subjects. Consequently, alternative notification
is allowed for these data subjects.
22 National Privacy Commission, Personal Data Breach Management, NPC Circular 16-03, rule V, § 18 (D) (15 December
2016) (NPC Circular 16-03).
23 National Privacy Commission, Personal Data Breach Management, NPC Circular 16-03, rule V, § 18 (15 December
2016) (NPC Circular 16-03).
24 See Affidavit of FC and Affidavit of JM.

RESOLUTION - NPC 18-205 601

 NPC No. 18-205
In Re: Medicard Philippines, INC.
Resolutions
Page 7 of 7

The Commission notes that MediCard has already posted the

notification on its official website, which was in compliance with the
Resolution dated 10 December 2021. Thus, the Commission deems
the alternative notification sufficient with regard to the nine (9)
remaining data subjects who could not receive email notifications of
the data breach.

WHEREFORE, premises considered, this Commission resolves that

the matter of NPC 18-205 “In re: MediCard Philippines, Inc.” is hereby
considered CLOSED.

SO ORDERED.

Pasay City, Philippines;

14 July 2022.

Sgd.
JOHN HENRY D. NAGA
Privacy Commissioner

WE CONCUR:

Sgd.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

Sgd.
DUG CHRISTOPER B. MAH
Deputy Privacy Commissioner

COPY FURNISHED:

RTM
Data Protection Officer
4th The World Center Building
330 Sen. Gil Puyat Ave., Makati City

COMPLAINTS AND INVESTIGATION DIVISION

ENFORCEMENT DIVISON
GENERAL RECORDS UNIT
National Privacy Commission

602 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-278
JO vs MSMI
Resolutions
Page 1 of 9

JO,

NPC Case No. 19-278

Complainant,

RESOLUTIONS
-versus- NPC No. 19-278
For: Violation of the Data Privacy Act of 2012
MSM, Inc.
Respondent.
x----------------------------------------------------x

RESOLUTION

NAGA, P.C.;

Before the Commission is a Motion for Reconsideration dated 15

May 2022 filed by JO on the Commission’s Decision dated 31 March
2022.

Facts

JO, through a Complaints-Assisted Form dated 27 March 2019, filed

a case against the Respondent, MSM, Inc (MSMI).1 On 31 March 2022,
the Commission issued a Decision dismissing the complaint for lack
of merit.2

The Decision was served via email to both parties on 29 April 2022.3
Subsequently, JO submitted an unsigned Motion for Reconsideration
on 16 May 2022 via email.4 In the email, JO stated that, “I will send
physical copy personally (signed),”5 and attached his unsigned
Motion.6 Based on the records, JO filed a signed physical copy of
his Motion on 17 May 2022.7

1 Complaints-Assisted Form dated 27 March 2019 of JO.

2 JO vs MSM, Inc., NPC 19-278, Decision dated 31 March 2022.
3 See Electronic mail dated 29 April 2022 to JO and MSM, Inc.; Electronic Mail Delivery Receipts.
4 Motion for Reconsideration dated 15 May 2022 (unsigned) of JO.
5 Electronic Mail dated 16 May 2022 from JO.
6 Id.
7 Motion for Reconsideration dated 15 May 2022 (signed) with stamp receipt of JO.

RESOLUTION - JO VS MSM 603

 NPC No. 19-278
JO vs MSMI
Resolutions
Page 2 of 9

In his Motion, JO claims that there was no “cogent reason” for

the dismissal of his complaint.8 He states that “the complaint itself
has shown an exceptionally good cause that indeed respondents
unquestionably, deliberately and seriously violated the right(s) of
the complainant and complaint itself involves a serious violation or
wanton breach of the Data Privacy Act.”9

He claims that there was bias or partiality in the dismissal of his

complaint. To support this claim, JO cites an alleged incident in the
course of the preliminary investigation:

The Investigating Officer have already decided the favorable resolution

of the complaint to the respondent(s) since, quoted thereat the following
remarks, “MADEDEHADO KA DITO (REFERRING TO NPC) KUNG WALA
KANG ABOGADO” (sic)10

JO also argues that MSMI has committed data privacy violations,

especially by MSMI’s alleged admission that it was using “the account
name and code of complainant who has effectively resigned since
31 December 2018.”11 He further contends that MSMI should be
penalized under Section 33 of Republic Act No. 10173, also known
as the Data Privacy Act of 2012 (DPA).12 Lastly, JO claims that MSMI
could have performed its tasks manually, but opted to breach his
personal data.13

In response, MSMI filed an Opposition (to the Motion for

Reconsideration dated 15 May 2022) dated 01 June 2022.14 MSMI
argues that “[JO’s] Motion should be outrightly denied for being
pro forma inasmuch as it fails to point out specifically the findings
or conclusions of the Commission in its Decision which are not
supported by the evidence or which are contrary to law…”,15 and
thereafter citing Rule 37 of the 2019 Rules of Civil Procedure.16

8 Id., at pp. 1-2.

9 Id., at p. 2.
10 Id.
11 Motion for Reconsideration dated 15 May 2022 of JO, at p. 2.
12 Id.
13 Id.
14 Opposition (to the Motion for Reconsideration dated 15 May 2022) dated 01 June 2022 of MSM, Inc.
15 Id., at ¶ 2.
16 Id.

604 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-278
JO vs MSMI
Resolutions
Page 3 of 9

MSMI also counters that JO “fails to provide any iota of evidence to

show that this Honorable Commission exhibited any bias or partiality
in its Decision other than to reference the period within which the
said Decision was issued and to quote the Investigating Officer.”17
According to MSMI, the alleged statement, if true, also does not
show bias but “only reflects the Investigating Officer’s prudent act
of advising Complainant of the possibility of engaging counsel.”18
Even if this showed bias or partiality, MSMI claims that it is not one of
the grounds for a motion for reconsideration.19

MSMI cites the Decision in claiming that there was no privacy

violation, in that JO’s email and Philippine Overseas Employment
Administration (POEA) code are company-owned assets, and not
owned by JO.20 Thus, MSMI prays that the Commission deny JO’s
Motion.

Issue

Whether the Motion for Reconsideration merits the reversal of the

Decision dated 31 March 2022.

Discussion

The Commission denies JO’s Motion for Reconsideration.

I. The Decision has already attained

finality. JO’s period to file a motion for
reconsideration has already lapsed.

Rule VII, Section 30 of the NPC Circular 2016-04 or the Rules of

Procedure (2016 NPC Rules of Procedure) states:

17 Id., ¶ 4.
18 Opposition (to the Motion for Reconsideration dated 15 May 2022) dated 01 June 2022 of Multinational Ship
Management, Inc., ¶ 4(b).
19 Id., ¶ 4(c).
20 Id., ¶ 7. See JO vs MSM, Inc., NPC 19-278, Decision dated 31 March 2022, at p. 12.

RESOLUTION - JO VS MSM 605

 NPC No. 19-278
JO vs MSMI
Resolutions
Page 4 of 9

SECTION 30. Appeal. – The decision of the National Privacy Commission

shall become final and executory fifteen (15) days after the receipt of a copy
thereof by the party adversely affected. One motion for reconsideration
may be filed, which shall suspend the running of the said period. Any
appeal from the Decision shall be to the proper courts, in accordance with
law and rules.21 (Emphasis supplied)

Likewise, Rule VIII, Section 4 of NPC Circular No. 2021-01, otherwise

known as the 2021 NPC Rules of Procedure (2021 NPC Rules) states:

SECTION 4. Appeal. – The decision of the Commission shall become final

and executory fifteen (15) calendar days after receipt of a copy by both
parties. One motion for reconsideration may be filed, which shall suspend
the running of the said period. Any appeal from the Decision shall be to
the proper courts, in accordance with law and rules.22

The Decision dismissing the case was served to the parties via
email on 29 April 2022. JO, in his Motion, claims that he received
the Decision on 10 May 2022.23 Based on the records, this was the
day he received the physical copy of the Decision after it was sent
through private courier.24

Nevertheless, it should be noted that electronic service is allowed

under Rule III, Section 6 of the NPC Rules.25 Also, there was no
notification or other proof that there were problems with the
electronic service.26 JO even sent an email attaching his unsigned
Motion by replying to the Commission’s email which electronically
served him the Decision.27

Thus, the Commission finds that the electronic service of its Decision
on 29 April 2022 was valid. Consequently, the Decision already
became final on 14 May 2022, which was the fifteenth day from
receipt of the Decision, since there was no appeal filed within the
fifteen (15)-day period.

21 National Privacy Commission, Rules of Procedure of the National Privacy Commission, NPC Circular No. 16-04, Rule
VII, § 30 (15 December 2016) (2016 NPC Rules of Procedure)
22 National Privacy Commission, 2021 Rules of Procedure of the National Privacy Commission, NPC Circular No. 2021-
01, Rule VIII, § 4 (28 January 2021) (2021 NPC Rules of Procedure).
23 Motion for Reconsideration dated 15 May 2022 of JO, at p. 1.
24 As per LBC tracking number.
25 2021 NPC Rules of Procedure, Rule III, § 6.
26 See Electronic mail delivery receipts.
27 Electronic mail dated 16 May 2022 of JO.

606 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-278
JO vs MSMI
Resolutions
Page 5 of 9

JO electronically mailed his unsigned Motion on 16 May 2022.

However, under Rule 7, Section 3 of the 2019 Rules of Civil Procedure
(which finds suppletory application in this case),28 “[e]very pleading
and other written submissions to the court must be signed by the
party or counsel representing him or her.”29 JO, as the party filing
the Motion, did not follow this clear obligation. It was only on 17 May
2022 when the Commission received a physical and signed copy of
his Motion. Moreover, it bears emphasis that regardless whether JO
filed his Motion on 16 May 2022 or 17 May 2022, the Decision had
already attained finality.

Even if the Commission were to consider the unsigned Motion as duly

filed, JO’s period to file a motion for reconsideration had already
lapsed since the Decision was already final. On this ground alone,
the Commission has sufficient cause to deny JO’s Motion.

II. On the merits, JO did not provide

any substantial or adequate ground to
reverse the Decision.

Setting aside the procedural infirmity, the Commission still finds that
the Decision must be upheld. JO has not shown any substantial or
adequate ground that would merit the reversal of the Decision.

JO does not explicitly state that the Commission is biased. His Motion
does not even cite any particular statement from the Decision that
would be indicative of partiality. However, he claims that during
the preliminary investigation proceedings, the Investigating Officer
“already decided the favorable resolution of the complaint to the
respondent(s)”30 due to the alleged statement “MADEDEHADO KA
DITO (REFERRING TO NPC) KUNG WALA KANG ABOGADO.”31

28 See 2021 NPC Rules of Procedure, Rule XII, § 8.

29 2019 Rules of Civil Procedure, Rule VII, § 3. (Emphasis supplied)
30 Motion for Reconsideration dated 15 May 2022 of JO, at p. 2.
31 Id.

RESOLUTION - JO VS MSM 607

 NPC No. 19-278
JO vs MSMI
Resolutions
Page 6 of 9

The Commission view allegations of bias seriously given that the

National Privacy Commission is an independent body mandated to
administer and implement the DPA.32 Taking into consideration its
role, the Commission finds that JO has not proven that the Decision
is tainted with bias against him.

In fact, in resolving JO’s complaint, the Commission even exercised its

authority to rule on the merits, rather than dismissing the complaint
outright for non-exhaustion of remedies based on Section 4(a) of
NPC Circular 16-04. To quote the Decision:

I. The Commission exercises its authority to

resolve the case on the merits.

MSMI contends that the case should be dismissed since JO did not prove
that he complied with Section 4(a) of NPC Circular No. 16-04, also known
as the 2016 NPC Rules of Procedure.

In response, JO claims that after resigning, he immediately informed the

company to refrain from accessing his personal information.

xxx

Based on the record, JO has not concretely provided evidence that it has
complied with Section 4(a) of NPC Circular No. 16-04, since there is no
proof that he informed MSMI, in writing, about the alleged privacy violation.
Other than his allegations stated in his various pleadings before the
Commission, JO did not attach any letter or other written correspondence
to MSMI relating to the alleged privacy violation. Thus, he did not provide
substantial evidence that will lead the Commission to conclude that he
complied with Section 4(a) of NPC Circular No. 16-04.
Nevertheless, the Commission exercises its authority to waive the
requirement of exhaustion of administrative remedies, based on the last
paragraph of Section 4 of the 2016 Rules of Procedure.
JO’s allegations, if substantially proven, may lead the Commission to
conclude that there was a serious violation of the DPA. The allegations
also show that there may be serious risk of harm to JO, given that the

32 An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for This Purpose a National Privacy Commission, and for Other Purposes, [Data
Privacy Act of 2012], Republic Act No. 10173, Chapter II, § 7 (2012).

608 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-278
JO vs MSMI
Resolutions
Page 7 of 9

emails he provided allegedly show acts which he did not do, but may be
liable for.

Thus, the Commission finds it appropriate to exercise its authority to

resolve the case on the merits.33 (Emphases supplied, citations omitted.)

The Commission could have just resolved to dismiss outright JO’s

complaint simply because he failed to prove that he informed
MSMI in writing about the alleged privacy violation in order for it to
appropriately act on the matter.34 Instead, it approached the case
from the lens of substantial justice by assessing JO’s complaints
based on the merits of his case. These actions are inconsistent with
claims of bias or partiality against JO.

Further, regardless of the propriety of the Investigating Officer’s

alleged statement, the Decision was made only after the Commission
scrutinized each party’s submissions, evidence, and the law. The
Commission ultimately decides on the matter, independent of
the recommendations of the investigating officer, since “[t]he
Commission shall review the evidence presented, including the Fact-
Finding Report and supporting documents.”35 Though his complaint
was dismissed, this in itself does not automatically prove that there
was bias.

JO also repeats his claim that MSMI committed privacy violations

when it “[used] the account name and code of complainant who
has effectively resigned since 31 December 2018… There was a
categorical admittance that the e-mail was provided for by the
company (respondents), hence, bolster the fact that it is still being
wantonly utilized by the company even after the complainant (data
subject) effectively resigned since December 31, 2018 by another
person. (sic)”.36 He also claims that MSMI should be penalized for
Section 33 of the DPA to act as deterrence for those similarly inclined
to violate the law or commit data breaches.37

33 JO v. MSM, Inc., NPC 19-278, Decision dated 31 March 2022, at pp. 9-11.
34 See National Privacy Commission, Rules of Procedure, NPC Circular No. 16-04, § 4(a) (15 December 2016).
35 2021 NPC Rules of Procedure, Rule VIII, § 1.
36 Motion for Reconsideration dated 15 May 2022 of JO, at p. 2.
37 Id.

RESOLUTION - JO VS MSM 609

 NPC No. 19-278
JO vs MSMI
Resolutions
Page 8 of 9

The Commission has already extensively discussed JO’s contentions

in its Decision. Further, the Commission finds that there are no new
material facts or information presented by JO in his Motion that
would warrant the reversal of the Commission’s Decision.

As explained in the Decision, the POEA code is a company asset and

cannot be considered as part of JO’s personal information. While
JO’s company-issued email indicates his name, its use after his
resignation does not automatically equate to a violation of the DPA.
MSMI had a legitimate interest to continue using the POEA Account to
access the Sea-based e-Contracts System (SBECS). MSMI’s interest
stems from POEA Memorandum Circular No. 06, series of 2018,
which established the mandate for lic ensed manning agencies, like
MSMI, to use POEA’s web-based facility for its business processes
with the agency.38

MSMI also proved that it timely informed POEA about JO’s resignation,
and that it had to rely on POEA in order for MSMI to gain access to
SBECS.39

Lastly, the Commission finds that JO failed to justify why MSMI

should be penalized under Section 33 of the DPA “[a]s a deterrent
to others who are similarly inclined to commit such serious Data
Privacy Violations or Personal Data Breach (sic).”40

Section 33 of the DPA provides:

SEC. 33. Combination or Series of Acts. – Any combination or series of

acts as defined in Sections 25 to 32 shall make the person subject to
imprisonment ranging from three (3) years to six (6) years and a fine of
not less than One million pesos (Php1,000,000.00) but not more than Five
million pesos (Php5,000,000.00).41

38 Philippine Overseas Employment Administration, Memorandum Circular No. 06, series of 2018, New Procedure for
Online Registration of Seafarers and Seabased e-Contracts System (SBECS).
39 JO vs MSM, Inc., NPC 19-278, Decision dated 31 March 2022, at p. 14; see Motion to Dismiss dated 02 July 2019 of
Multinational Ship Management, Inc., Annex “F”.
40 Motion for Reconsideration dated 15 May 2022 of JO at p. 2.
41 Data Privacy Act of 2012, Chapter VIII, § 33.

610 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-278
JO vs MSMI
Resolutions
Page 9 of 9

JO has not proven that MSMI is liable for violating any of Sections
25 to 32 of the DPA, much more be penalized for a combination or
series of acts meriting the application of Section 33 of the law.

Indeed, after reviewing the records and considerably weighing the

evidence and arguments of both parties, the Commission finds no
reason to reverse its Decision.

WHEREFORE, premises considered, the Motion for Reconsideration

is DENIED. The Decision dated 31 March 2022 is hereby AFFIRMED.

SO ORDERED.

City of Pasay, Philippines.

16 June 2022.

Sgd.
JOHN HENRY D. NAGA
Privacy Commissioner

WE CONCUR:

Sgd.
DUG CHRISTOPER B. MAH
Deputy Privacy Commissioner

(Inhibited)
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

Copy furnished:

JO
Complainant

MSM, INC.
Respondent

ATTY. FT
Counsel for Respondent

COMPLAINTS AND INVESTIGATION DIVISION

ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission

RESOLUTION - JO VS MSM 611

 NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 1 of 14

IN RE: FCASH GLOBAL LENDING,

NPC Case No. 19-909

INC., OPERATING FASTCASH

RESOLUTIONS
ONLINE LENDING
APPLICATION.
NPC 19-909
For: Violation of the Data Privacy Act
x----------------------------------------------------x

RESOLUTION

NAGA, P.C.;

Before us is a Motion for Reconsideration dated 28 February 2022

(Motion) by Respondents FCash Global Lending Inc., KDM, TH, JPS,
JCT, and ZS (Respondents) assailing the Decision dated 23 February
2021 (Decision), copy of which was received through counsel on 17
February 2022. The challenged Decision disposed as follows:

WHEREFORE, all the above premises considered, this Commission

hereby:

1. FINDS Respondent FCash Global Lending Inc. and its Board of Directors
to have violated Section 25, 28, and Section 31 of the Data Privacy Act
of 2012; and

2. FORWARDS this Decision and a copy of the pertinent case records

to the Secretary of Justice, recommending the prosecution of the
Respondents for the crimes of Unauthorized Processing of Personal
Information and Sensitive Personal Information under Section 25 of
the DPA, Processing of Personal Information and Sensitive Personal
Information for Unauthorized Purposes under Section 28 of the
DPA, and Malicious Disclosure under Section 31 of the DPA. The
maximum penalty for violations of the abovementioned provisions is
recommended to be imposed following Section 35 of the DPA.t
Respondents’ Motion reiterated the grounds they relied upon in

1 Decision dated 23 February 2021

612 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 2 of 14

their Motion to Dismiss, to wit:

1. The Decision was issued not in compliance with the National Privacy
Commission (NPC) Rules of Procedure, hence, with grave abuse of
discretion amounting to a lack or excess of jurisdiction;

2. The Decision ignored the rule on exhaustion of remedies under Section

4, Rule II of the NPC Rules;

3. The Decision ignored the rule on litis pendentia, there being pending
cases involving Respondent FCash filed by specific individual
complainants who appear to be the same parties in the case;

4. The Decision violates and renders nugatory the provisions of the DPA
on amicable settlement and alternative modes of dispute resolution
which are expressly promoted by law;

5. The Decision arbitrarily, unfairly, and erroneously impleaded the

corporate officers of Respondent FCash despite the lack of evidence,
let alone allegations, that any of them participated in the alleged acts
nor committed any gross negligence.2

Thus, Respondents pray for the reconsideration and the setting aside
of the Decision dated 23 February 2021, which in effect dismisses
the case against FCash.

The Commission now resolves the Motion.

The Commission has, time and time again, adequately ruled on
this matter. The Commission already addressed these issues in its
Resolution dated 02 October 2019 for the Motion to Dismiss dated
16 September 2019 and the Resolution dated 23 January 2020 for
the Motion for Reconsideration dated 10 December 2019.
Furthermore, in relation to the Petition for Certiorari under Rule 65 of
the Rules of Court filed by Respondents with the Honorable Court of
Appeals in reference to its denied Motion for Reconsideration dated
23 January 2020, the Commission argued that “[a]t the outset, it
bears to point that the resort to certiorari is not the proper remedy
to assail the denial [of Respondent’s] motion to dismiss.”3 The

2 Motion to Dismiss dated 16 September 2019

RESOLUTION - NPC 19-909 613

 NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 3 of 14

Commission reminded that it is settled in jurisprudence that the writ

of certiorari is “available only where the tribunal, board or officer
exercising judicial functions has acted without or in excess of their
jurisdiction, or with grave abuse of discretion, and there is no appeal,
or any plain, speedy and adequate remedy in the ordinary course of
law. The special civil action should not be allowed as substitute for
any ordinary appeal or where there are other remedies available.”4
Nevertheless, the Commission shall take this final opportunity to
clarify matters with Respondents.

I. The assailed Decision was issued in compliance with the NPC Rules of
Procedure

Respondents argue that the proceeding was not conducted in

compliance with NPC Circular 16-04 or the NPC Rules of Procedure
(Rules) as there was no complaint filed but instead a Fact-Finding
Report, which Respondents argued does not satisfy the requirement
to initiate a sua sponte investigation. Such matter has already been
resolved by the Commission in its 02 October 2019 Resolution.

To reiterate, Section 23 of Rule IV of the Rules provides for the

power of the Commission to investigate on its own initiative the
circumstances surrounding a possible serious privacy violation or
personal data breach, taking into account the risks of harm to a data
subject. Consequently, the investigation shall be made in accordance
with Rule III of the same Rules following the principle of uniform
procedure sufficiently complied with in this case.5

The Fact-Finding Report dated 29 August 20196 (FFR) that was

served to Respondents contains a narration of the material facts
and the supporting documentary evidence which showed, among
other things, the violations allegedly committed by Respondent
FCash in operating its online lending application.7 The same FFR was
submitted to the Commission for its perusal to determine whether
violations of the Data Privacy Act of 2012 (DPA) were committed.

3 FCash Global Lending Inc., rep by KDM vs National Privacy Commission, Comment of Respondent National Privacy
Commission dated 02 August 2021
4 Id.
5 Resolution dated 02 October 2019.
6 In re: FCash Global Lending Inc Fact-Finding Report dated 29 August 2019
7 Resolution dated 02 October 2019

614 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 4 of 14

Considering that the FFR contains all the findings of the investigating
division of the NPC, such document is the complaint initiating the
administrative proceedings in cases of sua sponte investigation. As
sua sponte means “of one’s own accord”, the NPC, through the CID,
has initiated, on its own, a complaint against Respondent by filing
the FFR.

Further, in accordance with the Rules, Respondents, then, were

given an opportunity to submit an Answer, as prescribed by Rule
IV of the Rules wherein the Responsive Comment or Answer is
immediately required from Respondents after it receives the Fact-
Finding Report, to wit:

SECTION 24. Uniform procedure. – The investigation shall be in accordance

with Rule III of these Rules, provided that the respondent shall be provided
a copy of the fact-finding report and given an opportunity to submit
an answer. In cases where the respondent or respondents fail without
justification to submit an answer or appear before the National Privacy
Commission when so ordered, the Commission shall render its decision on
the basis of available information.8

As discussed by this Commission in its NPC 19-910 Resolution,

“the procedure for a sua sponte investigation does not include a
Discovery Conference because all the information and evidence in
the hands of the Commission are already set out in and attached to
the Fact-Finding report when it is provided to respondent.”9

It was emphasized by the Commission in NPC 19-910 Resolution that:

[W]hile Section 24 of Rule IV of the Rules provides that the investigation

be in accordance with Rule III, it includes a provision: ‘that the respondent
shall be provided with a copy of the Fact-Finding Report and given
an opportunity to submit an answer.’ R ule IV does not state that the
procedure should be exactly identical to the one described under Rule III.
As used in Section 24 of Rule IV, ‘in accordance with Rule III’ simply means
as far as practicable taking into consideration and giving effect to the
difference between the two (2) procedures.10
Further, to recall, in the Resolution dated 02 October 2019:

8 Section 24, Rule IV of NPC Circular 16-04

9 NPC 19-910, Resolution dated 11 March 2021
10 Id

RESOLUTION - NPC 19-909 615

 NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 5 of 14

[T]he provision on the Uniform Procedure under the Rules should be read
in light of the unique situation arising from the sua sponte nature of the
present investigation. Under the NPC Rules, discovery is a procedure
employed by parties to avail of, to compel the production of, or to preserve
the integrity of electronically stored information. This procedure need not
be resorted to by the Commission, however, in its exercise of its power of
original inquiry. This is all the more true in this case considering that there
are no private parties that can be called to confer for discovery. It must be
emphasized that this case was initiated by a team of investigators in the
Commission in response to serious allegations of data privacy violations
allegedly committed upon a large number of data subjects.11

Respondents claimed that the FFR already contained conclusions

and recommendations for the prosecution of all the respondents
for alleged violation of the provisions of the DPA.12 To recall, it has
been pointed out by this Commission that “no judgement of any
kind has been made on this case for or against Respondents.”13 As
previously discussed, the FFR is treated as the complaint in cases
that are initiated through a sua sponte proceeding. The FFR is not
the view of the Commission En Banc but rather a brief narration of
the material facts and the supporting evidence which shows among
other things, the cause of action of the complainant against the
respondent.

Further, as the FFR is the complaint in cases of sua sponte

investigations, Respondents were given the opportunity to be heard
by ordering them to file their Answer or Comment to the submitted
FFR. However, despite these opportunities given by the Commission
to Respondents, the orders were left unanswered and ignored.
Instead, Respondents questioned the authority of the Commission
to determine this case.

Given this, the investigation and procedure of recommending a

possible violation of the DPA has all been done in accordance with
the powers vested in the Commission to institute sua sponte cases
provided by the DPA and the Rules. Respondents should note that
the response of the Commission upon receiving the FFR was an
Order to File an Answer and not a decision.
The fact that there exist hundreds of pending cases before the
Commission against Respondents is no bar to the filing of the case

11 Resolution dated 02 October 2019

12 R.A. 10173
13 Resolution dated 02 October 2019

616 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 6 of 14

on hand but instead highlights the seriousness of the data privacy

violations and risks of harm to data subjects. The Commission notes
that the other pending cases against the Respondents and the case
at hand involves different parties with different causes of action and
prayers for relief.

As held by the Supreme Court in Yap vs. Court of Appeals14

Litis pendentia as a ground for the dismissal of a civil action refers to that
situation wherein another action is pending between the same parties
for the same cause of action, such that the second action becomes
unnecessary and vexatious. The underlying principle of litis pendentia is
the theory that a party is not allowed to vex another more than once
regarding the same subject matter and for the same cause of action. This
theory is founded on the public policy that the same subject matter should
not be the subject of controversy in courts more than once, in order that
possible conflicting judgments may be avoided for the sake of the stability
of the rights and status of persons.

The requisites of litis pendentia are: (a) the identity of parties, or at least
such as representing the same interests in both actions; (b) the identity
of rights asserted and relief prayed for, the relief being founded on the
same facts; and (c) the identity of the two cases such that judgment in
one, regardless of which party is successful, would amount to res judicata
in the other.15

In the present case, none of the foregoing requisites were met.

As it was repeatedly emphasized, the pending cases against the
Respondents and the case at hand involves different parties with
different causes of action and prayers for relief.

As argued by the Commission in its Comment dated 02 August 2021

for the case C.A.– G.R. SP No. 168046:

The cause of the individual complaints is to enforce the individuals

rights vested by the DPA. Meanwhile, a complaint which arose from a
sua sponte investigation is hinged on the [Commission’s] responsibility,
as representative of the State, ‘to protect the fundamental human rights
of privacy, of communication while ensuring free flow of information to
promote innovation and growth.’ The individual complaints were only
cited in the Fact-Finding Report to demonstrate the seriousness of the

14 G.R. No. 186730, June 13, 2012

15 Id.

RESOLUTION - NPC 19-909 617

 NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 7 of 14

possible data privacy violation.

The [FFR] itself shows that the Task Force conducted an independent
investigation against [FCash]. It reviewed [FCash’s] Privacy Policy, the
user reviews alleging serious privacy violations, and the mobile application
itself. The investigators evaluated how [FCash’s] application operates and
the extent to which the privacy of its users is protected by examining
the Android Manifest, including ‘permissions’ required by the application.
The Fact-Finding Report itself states: ‘Examination of publicly accessible
information and the initial technical evaluation of FCash and the Fast
Cash online lending application shows that the company has failed to
demonstrate compliance with the DPA.’

Clearly, the investigators made findings beyond the scope of the individual
complaints filed by the data subjects. These includes inaccessible
information regarding [FCash’s] Data Protection Officer, failure to
exercise efforts in response to privacy complaints, inadequate Privacy
Policy, and presence of dangerous permissions violating the principle of
proportionality.16

II. The assailed Decision did not ignore the rule on exhaustion of remedies
under Section 4, Rule II of the NPC Rules.

Respondents contend that the Commission failed to observe the

mandatory exhaustion of remedies requirement under Section
4, Rule II of the NPC Rules as Respondents were not granted the
opportunity to “take timely or appropriate action on the claimed
privacy violation or personal data breach”17 before a complaint can
be filed.

As held by the Commission in NPC 19-910, to wit:

The Respondent’s interpretation that the Commission should first reach

out to respondents to be ‘given the opportunity to institute appropriate
actions to rectify the alleged criminal violations of the DPA’ is purpose-
defeating, if not plainly absurd. Sua sponte investigations are only
conducted under specific premises under the Rules of Procedure, thus:
Section 23. Own initiative. – Depending on the nature of the
incident, in cases of a possible serious privacy violation or personal

16 Supra Note 3, page.23

17 Section 4 (b), Rule II of NPC Circular No. 16-04

618 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 8 of 14

data breach, taking into account the risks of harm to a data

subject, the Commission may investigate on its own initiative the
circumstances surrounding the possible violation. Investigations
may include on-site examination of systems and procedures. If
necessary, the Commission may use its enforcement powers to
order cooperation of the personal information controller or other
persons, with the investigation or to compel appropriate action to
protect the interests of data subjects.
subjects.

As seen with the abovementioned criteria for a sua sponte investigation,

complaints are only initiated in cases of a possible serious privacy violation
or personal data breach. In these actions, the Commission considers
evident risks of harm to a data subject. The privacy violation or personal
data breach that can be directly acted upon by the Commission is qualified
with a degree of seriousness that makes it different from complaints under
Rule III. This degree of seriousness is considered in relation to the level of
risks posed to the data subjects, and may be manifested in different ways
such as the scale of processing or the number of reports received by the
Commission.

Thus, in cases of sua sponte investigations, it is futile for the Commission to

exhaust remedies by communicating with the respondent. The provision
on the exhaustion of remedies is meant to provide an opportunity for
parties to amicably settle among themselves and rectify the situation. This
is only resorted to when the possibility of rectification still exists

The nature and purpose of sua sponte investigations make such exhaustion
of remedies futile because by the time the Commission detects a privacy
violation or personal data breach, the opportunity for rectification is
no longer available. The requirement of exhaustion of remedies is thus
inapplicable to sua sponte investigations.

Furthermore, such provision for the exhaustion of remedies is not an

absolute rule that renders all non-conforming complaints invalid. The
Commission has previously discussed the purpose for the exhaustion of
remedies in an earlier Decision:

This rule was intended to prevent a deluge of vexatious complaints from

those who waited for a long period of time to pass before deciding to
a lodge a complaint with the NPC, unduly clogging its dockets. Notably,
however, the same Section provides that the Commission has the discretion
to waive such period for filing upon good cause shown, or if the complaint
involves a serious violation or breach of the DPA, taking into account the
risk of harm to Complainant.18

RESOLUTION - NPC 19-909 619

 NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 9 of 14

Respondents also argue that the conduct of a sua sponte investigation

is unnecessary as there were already several pending complaints
against it.

As held by the Commission in NPC 19-910, the Commission wishes

to highlight:

Nowhere in its Decision did the Commission ‘admit that the sua sponte
investigation was conducted in lieu of the several complaints received by
the Honorable Commission against Respondent[.]’ On the contrary, the
Decision explicitly stated that the sua sponte investigation is independent
and separate from the individual cases by stating that ‘the pending cases
and the case on hand involve different parties, different causes of action
with different prayers of relief.’

xxx

The individual complaints were only cited to demonstrate the seriousness

of the possible data privacy violation.19

The sua sponte investigation was conducted due to the potential

harm to the data subjects. This is in consideration of the Commission’s
mandate in the DPA to ensure a personal information controller’s
compliance with the law20 and institute investigations when
necessary.21 This is likewise in consideration of the provision in NPC
Circular 2021-01, which allows conduct of sua sponte investigations
of possible privacy violations or personal data breaches.22 Hence,

18 NPC 19-910, Resolution

19 Id.
20 An Act Protecting Individual Personal Information in Information and Communications Systems in the Government
and the Private Sector, Creating for This Purpose a National Privacy Commission, and for Other Purposes [Data
Privacy Act of 2012], Republic Act No. 10173, chapter II, § 7(a) (2012).
21 Id. § 7(b).

620 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 10 of 14

the sua sponte investigation of the Commission was conducted due

to its mandate and function and not because of several complaints.

III. The assailed Decision did not ignore the rule on litis pendentia, there being
pending cases involving Respondent FCash filed by specific individual
complainants who appear to be the same parties in the case

Further, Respondents claim that the conduct of a separate

proceeding involving the same subject matter as cases which are
currently being investigated and pending for adjudication by this
Commission through its investigating officers violates the principle
of litis pendentia. As previously discussed, the pending cases before
the Commission filed by different complainants is entirely different
from the case initiated by a sua sponte investigation. These cases
have different parties, different causes of action with different
prayers of relief. The cited complaints in the FFR were, to reiterate,
used to emphasize the gravity and seriousness of the violation of
data privacy. Respondents erred in saying that they are being vexed
for the same subject matter.

IV. The assailed Decision does not violate nor renders nugatory the provisions
of the DPA on amicable settlement and alternative modes of disputes
resolution which are expressly promoted by law.

As to the contention that the Decision is totally in conflict with the

other decisions of this Commission approving the amicable settlement
entered into by specific complainants, the Commission wishes to
remind Respondents that the previous decisions of the Commission
approving the amicable settlements are entirely different from the
case initiated by the sua sponte investigation. These cases which
are settled and dismissed by virtue of an amicable settlement are
not decided based on the merits of the case but due to the mutual
understanding of the parties. The final amicable settlement that
contains the terms and conditions of the parties for the settlement
of the case has the force and effect of law between these parties.
No provision of the DPA was used to arrive at the settlement. As
held by the Supreme Court in the case of Miguel v. Montanez:

Being a by-product of mutual concessions and good faith of the parties,

22 NPC Circular No. 2021-01, rule X, §§ 5-6.

RESOLUTION - NPC 19-909 621

 NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 11 of 14

an amicable settlement has the force and effect of res judicata even if not
judicially approved. It transcends being a mere contract binding only upon
the parties thereto, and is akin to a judgment that is subject to execution
in accordance with the Rules.23

Further, “[w]hile the Rules on Mediation embodied in NPC Circular

No. 18-03 did not provide a distinction between cases which can
and cannot undergo mediation, NPC Circular No. 16-04 categorically
states that ‘no settlement is allowed for criminal acts.’”24

The Commission also wishes to emphasize that the purpose of

the mediation settlement is to help parties arrive at an acceptable
compromise. Considering that the cause of action in a complaint
borne out of a sua sponte investigation is the State’s duty to protect
the right to privacy and not to prosecute to claim reparation on
behalf of private individuals, no compromise can be had between
the State and the Respondent.

Hence, the previous decisions of the Commission confirming the

amicable settlement of the parties are not contrary to the Decision
as no interpretation and application of the DPA was used nor
preceding decisions of the Commission was applied. The decisions
of the Commission were merely a recognition of the agreement of
the parties to settle the case based on their mutual understanding
and not through the remedial procedures of this Commission.

V. The assailed Decision does not arbitrarily, unfairly, and erroneously

impleaded the corporate officers of Respondent Fcash despite the lack of
evidence, let alone allegation, that any of them participated in the alleged
acts nor committed any gross negligence.

Lastly, Respondents contend that impleading its corporate officers

of despite the lack of evidence, let alone allegations, that any of them
participated in the alleged acts or committed any gross negligence
is arbitrary, unfair, and erroneous.25 This Commission points out
that the DPA is clear that the liability of the responsible officers in
cases where the offender is a corporation does not rely on active
participation alone. Gross negligence is explicitly stated in the DPA
as a ground for criminal liability, to wit:
SEC. 34. Extent of Liability. – If the offender is a corporation, partnership

23 Miguel v. Montañez, G.R. No. 191336, 25 January 2012

24 NPC 19-910, Resolution
25 Motion for Reconsideration dated 28 February 2022

622 THE 2022 COMPENDIUM OF NPC ISSUANCES

NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 12 of 14

or any juridical person, the penalty shall be imposed upon the responsible
officers, as the case may be, who participated in, or by their gross
negligence, allowed the commission of the crime. If the offender is a juridical
person, the court may suspend or revoke any of its rights under this Act. If
the offender is an alien, he or she shall, in addition to the penalties herein
prescribed, be deported without further proceedings after serving the
penalties prescribed. If the offender is a public official or employee and lie
or she is found guilty of acts penalized under Sections 27 and 28 of this
Act, he or she shall, in addition to the penalties prescribed herein, suffer
perpetual or temporary absolute disqualification from office, as the case
may be. 26

There is no reason for the Commission to reverse its earlier finding

that the Respondent officers are liable for gross negligence. As
stated in the Decision of this Commission in the case of NPC 19-910:

The Supreme Court has consistently defined gross negligence as ‘the negligence
characterized by the want of even slight care, or by acting or omitting to act
in a situation where there is a duty to act, not inadvertently but willfully and
intentionally, with a conscious indifference to the consequences of, insofar as
other persons may be affected. It is the omission of that care that even inattentive
and thoughtless men never fail to give their own property.’27

The fact that the Board of Directors (BOD) failed to act on the
voluminous and alarming privacy issues of their borrowers negates
the legal presumption that the BOD employed ordinary care in the
discharge of their duties and instead, presumes that the BOD knew
about these collection practices and approved of it. There are one
hundred and sixty-six (166) complaints against Respondent as of
July 2019. The Complaint also attached user reviews on Respondent
application in Google Play Store. The user comments narrated
experiences on how the Respondent gains access to mobile
phonebook/directory/contact list for the purpose of disclosing
their transactions without their consent and authority.28 It can be
reasonably said that the privacy complaints against Respondent
have reached into the public’s consciousness.29 Thus, it is the

26 Section 34 of R.A. 10173

27 Fernandez vs Office of the Ombudsman, GR No. 193983, March 14 2012.
28 Fact-Finding Report dated 29 August 2019, pg. 11-13.

RESOLUTION - NPC 19-909 623

 NPC No. 19-909
In Re: Fcash Global Lending, INC.,
Resolutions
Page 13 of 14

responsibility of the BOD to show to this Commission that they have

employed the necessary diligence expected from them. However,
no evidence was presented by the Respondent to rebut this
presumption against them. Further, despite the BOD’s responsibility
to show the Commission that it employed necessary diligence, it
unfortunately still refuses to present any evidence demonstrating
that it addressed, or at the very least, did not allow such actions.

Citing the SEC registration records of the Respondent, the Complaint

specifically named KDM, TH, JPS, JCT, and ZS as the original
incorporators, registered directors, and officers of Respondent.
Thus, the abovementioned violations of the DPA shall be imputed
against all of them due to their gross negligence following Section
34.30

Considering the foregoing, Respondents have not provided any new

or material allegations that would merit the reversal of the Decision.

WHEREFORE, all the above premises considered, this Commission

hereby resolves to DENY the Motion for Reconsideration filed by
FCash Global Lending Inc. The Decision of the Commission dated 23
February 2021 is hereby AFFIRMED.

SO ORDERED.

City of Pasay, Philippines.

28 April 2022.

Sgd.
JOHN HENRY D. NAGA
Privacy Commissioner
WE CONCUR:

Sgd.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

Sgd.
DUG CHRISTOPER B. MAH
Deputy Privacy Commissioner
29 See: https://manilastandard.net/business/biz-plus/335368/sec-voids-license-of-fcash-global.html.
30 Fact-Finding Report dated 29 August 2019, pg. 9-10.

624 THE 2022 COMPENDIUM OF NPC ISSUANCES

Copy furnished:

BTLO
Counsel for FCash Lending Inc.

COMPLAINTS AND INVESTIGATION DIVISION

ENFORCEMENT DIVISION
GENERAL RECORDS UNIT
National Privacy Commission

RESOLUTION - NPC 19-909 625

626 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 627
628 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 629
630 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 631
632 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 633
634 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 635
636 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 637
638 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 639
640 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 641
642 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 643
644 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 645
646 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 647
648 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 649
650 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 651
652 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 653
654 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 655
656 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 657
658 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 659
660 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 661
662 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 663
664 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 665
666 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 667
668 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 669
670 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 671
672 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 673
674 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 675
676 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 677
678 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 679
680 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 681
682 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 683
684 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 685
686 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 687
688 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 689
690 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 691
692 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 693
694 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 695
696 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 697
698 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 699
700 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 701
702 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 703
704 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 705
706 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 707
708 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 709
710 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 711
712 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 713
714 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 715
716 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 717
718 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 719
720 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 721
722 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 723
724 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 725
726 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 727
728 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 729
730 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 731
732 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 733
734 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 735
736 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 737
738 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 739
740 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 741
742 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 743
744 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 745
746 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 747
748 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 749
750 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 751
752 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 753
754 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 755
756 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 757
758 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 759
760 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 761
762 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 763
764 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 765
766 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 767
768 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 769
770 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 771
772 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 773
774 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 775
776 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 777
778 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 779
780 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 781
782 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 783
784 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 785
786 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 787
788 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 789
790 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 791
792 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 793
794 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 795
796 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 797
798 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 799
800 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 801
802 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 803
804 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 805
806 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 807
808 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 809
810 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 811
812 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 813
814 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 815
816 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 817
818 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 819
820 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 821
822 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 823
824 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 825
826 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 827
828 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 829
830 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 831
832 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 833
834 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 835
836 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 837
838 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 839
840 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 841
842 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 843
844 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 845
846 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 847
848 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 849
850 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 851
852 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 853
854 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 855
856 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 857
858 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 859
860 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 861
862 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 863
864 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 865
866 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 867
868 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 869
870 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 871
872 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 873
874 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 875
876 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 877
878 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 879
880 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 881
882 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 883
884 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 885
886 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 887
888 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 889
890 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 891
892 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 893
894 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 895
896 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 897
898 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 899
900 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 901
902 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 903
904 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 905
906 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 907
908 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 909
910 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 911
912 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 913
914 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 915
916 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 917
918 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 919
920 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 921
922 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 923
924 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 925
926 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 927
928 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 929
930 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 931
932 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 933
934 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 935
936 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 937
938 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 939
940 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 941
942 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 943
944 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 945
946 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 947
948 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 949
950 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 951
952 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 953
954 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 955
956 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 957
958 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC RESOLUTION 959
960 THE 2022 COMPENDIUM OF NPC ISSUANCES
RESOLUTION - NPC 19-909 961
NPC No. 2022-01
Guidelines on Administrative Fines
Circulars
Page 1 of 6

NPC Circular No. 2022-01

NPC No. 2022-01

Date : 08 August 2022

CIRCULARS
Subject : GUIDELINES ON ADMINISTRATIVE FINES

WHEREAS, it is the policy of the State to protect the

fundamental human right of privacy of communication while ensuring
free flow of information to promote innovation and growth;

WHEREAS, the National Privacy Commission (Commission)

was created under Republic Act No. (R.A.) 10173, otherwise known
as the “Data Privacy Act of 2012” (DPA), in order to discharge
the duty of the State to protect individual personal information in
information and communications systems in the government and
the private sector;

WHEREAS, the Commission has the express mandate under

R.A. 10173 and its Implementing Rules and Regulations (IRR) to: (1)
ensure compliance with the provisions of R.A. 10173; (2) receive
complaints, institute investigations, and adjudicate on matters
affecting any personal information; (3) compel any entity, government
agency or instrumentality to abide by its orders or take action on a
matter affecting data privacy; and (4) generally perform such acts
as may be necessary to facilitate cross-border enforcement of data
privacy protection;

WHEREAS, the Commission shall perform all acts as may be

necessary to implement the DPA, its IRR, and its issuances, and to
enforce its Orders, Resolutions, or Decisions, including the imposition
of administrative sanctions, fines, or penalties; WHEREAS, the
Commission encourages Personal Information Controllers (PICs) and
Personal Information Processors (PIPs) to promote organizational
accountability by initiating measures to enhance their compliance
with the DPA to protect the rights of their data subjects;

WHEREAS, the Commission recognizes that it is necessary for

public interest to impose administrative fines that are proportionate
and dissuasive for the effective exercise of its mandate;

WHEREFORE, in consideration of these premises, the

Commission hereby issues this
Circular fixing the amount of administrative fines to be imposed
for infractions of R.A. 10173, its IRR, and other issuances of the
Commission;

962 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-01
Guidelines on Administrative Fines
Circulars
Page 2 of 6

Section 1. Scope. This Circular is applicable to PICs and PIPs as

defined in the DPA.

Section 2. Administrative Fines. Any PIC or PIP who shall violate

the following provisions of R.A. 10173, its IRR, and the issuances of
the Commission shall be liable for an administrative fine for each
infraction. The amount of the fine for each infraction shall fall within
the ranges identified below and shall be determined in accordance
with the factors enumerated in Section 3. In any case, the total
imposable fine for a single act of a PIC or PIP, whether resulting
in single or multiple infractions, shall not exceed Five Million Pesos
(Php 5,000,000.00).

GRAVE INFRACTIONS

Any natural or juridical person processing personal data that infringes on the
following provisions and implementing issuances of the Commission shall be
subject to administrative fines of 0.5% to 3% of the annual gross income of the
immediately preceding year when the infraction occurred:

a. For each infraction of any of the general privacy principles in the processing
of personal data pursuant to Section 11 of the DPA, where the total number of
affected data subjects exceeds one thousand (1,001 or more);

b. For each infraction of any of the data subject rights pursuant to Section 16
of the DPA, where the total number of affected data subjects exceeds one
thousand (1,001 or more); or

c. Any repetition of the same infraction penalized under this Circular, regardless
of the classification as Major Infraction
MAJOR INFRACTIONS

Any natural or juridical person processing personal data that infringes on the
following provisions and implementing issuances of the Commission shall be
subject to administrative fines of 0.25% to 2% of the annual gross income of the
immediately preceding year when the infraction occurred:

NPC CIRCULAR NO. 2022-01 963

NPC No. 2022-01
Guidelines on Administrative Fines
Circulars
Page 3 of 6

a. For each infraction of any of the general privacy principles in the processing
of personal data pursuant to Section 11 of the DPA, where the total number of
affected data subjects is one thousand or below (1-1,000);

b. For each infraction of any of the data subject rights pursuant to Section 16 of
the DPA, where the total number of affected data subjects is one thousand or
below (1-1,000);

c. Any failure by a PIC to implement reasonable and appropriate measures to

protect the security of personal information pursuant to Section 20 (a), (b), (c),
or (e) of the DPA;

d. Any failure by a PIC to ensure that third parties processing personal information
on its behalf shall implement security measures pursuant to Section 20 (c) or (d)
of the DPA; or

e. Any failure by a PIC to notify the Commission and affected data subjects of
personal data breaches pursuant to Section 20 (f) of the DPA, unless otherwise
punishable by Section 30 of the DPA.
OTHER FRACTIONS
a. Any natural or juridical person processing personal data that commits any
of the omissions provided hereunder shall be subject to an administrative fine
of not less than Fifty Thousand Pesos (Php 50,000) but not exceeding Two
Hundred Thousand Pesos (Php 200,000):

i. The failure to register the true identity or contact details of the PIC, the
data processing system, or information on automated decision making,
pursuant to Section 7(a), Section 16, and Section 24 of the DPA and its
corresponding implementing issuances; or

ii. The failure to provide updated information as to the identity or contact

details of the PIC, the data processing system, or information on
automated decision making, pursuant to Section 7(a), Section 16, and
Section 24 of the DPA and its corresponding implementing issuances.

b. Any natural or juridical person processing personal data that fails to comply
with any Order, Resolution, or Decision of the Commission, or of any of its duly
authorized officers, pursuant to Section 7 of the DPA and its corresponding
implementing issuances, shall be subject to an administrative fine not exceeding
Fifty Thousand Pesos (Php 50,000).

The fine to be imposed as a result of this infraction shall be in addition to the fine
imposed for the original infraction subject of the Order, Resolution, or Decision
of the Commission.

(e.g., If the Order, Resolution, or Decision imposes a fine that pertains to the
implementation of security measures, a maximum of Php 50,000 shall be added
tothe fine for that infraction.)

964 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-01
Guidelines on Administrative Fines
Circulars
Page 4 of 6

This Circular shall also apply to infractions to be provided in future

issuances of the Commission. In those instances, the range of
applicable fines shall be set out in such issuance.

Section 3. Factors Affecting Fines. The Commission shall consider

the following factors in determining the amount of the fine within
the range provided in Section 2:

a. Whether the infraction occurred due to negligence or

through intentional infraction on the part of the PIC or PIP;
b. Whether the infraction resulted in damage to the data
subject, taking into account the degree of damage to the
data subject, if any;
c. The nature or duration of the infraction, in relation to the
nature, scope, and purpose of the processing;
d. The action or measure taken prior to the infraction to protect
the personal data being processed as well as the rights of the
data subject under Section 16 of the DPA;
e. Any previous infractions determined by the Commission
as contained in its Orders, Resolutions or Decisions, whether
these infractions have led to the imposition of fines, and the
length of time that has passed since those infractions;
f. The categories of personal data affected;
g. The manner in which the PIC or PIP discovered the infraction,
and whether it informed the Commission;
h. Any mitigating action adopted by the PIC or PIP to reduce
the harm to the data subject; and
i. Any other aggravating or mitigating circumstances as
appreciated by the Commission, including financial benefits
incurred or losses avoided by the PIC or PIP.

For the purpose of ascertaining the annual gross income of the

PIC or PIP that committed the infraction, the Commission may
evaluate and require the submission of the PIC’s or PIP’s audited
financial statements filed with the appropriate tax authorities for the
immediately preceding year when the infraction occurred, the last
regularly prepared balance sheet or annual statement of income
and expenses, and such other financial documents as may
be deemed relevant and appropriate.

In cases where a PIC or PIP has not been operating for more than one
year, the base to be used for the computation of the administrative
fine shall be its gross income at the time the infraction was committed.

NPC CIRCULAR NO. 2022-01 965

NPC No. 2022-01
Guidelines on Administrative Fines
Circulars
Page 5 of 6

Section 4. Due Process. The administrative fine shall only be

imposed after notice and hearing are afforded to the PICs or PIPs, in
accordance with the NPC Rules of Procedure.

In case the PIC or PIP fails to appear or submit its comment

or pleading, despite due notice, the Commission shall decide on the
alleged infraction based on the evidence on record.

If the complaint alleges a violation of the DPA that incurs

criminal liability, but the facts proven only constitute one or some of
the infractions subject to administrative fines, the PIC or PIP shall be
fined for the infraction proven, provided it is included in the violation
alleged.

A violation charged includes the infraction proven when some

of the essential elements of the former, as alleged in the complaint,
constitute the latter.

A PIC or PIP may be held liable for an infraction, even if it

is different from the infraction impleaded, provided that (1) the
essential requisites of the infraction for which the PIC or PIP is found
liable are alleged in the complaint, and (2) such infraction is proven
based
on substantial evidence.

Section 5. Appeal. The Decision or Resolution of the Commission

shall be immediately executory unless otherwise restrained by the
Court of Appeals or the Supreme Court.

Section 6. Posting of Bond on Imposed Administrative Fines. In any

or all actions assailing the Decisions or Resolutions of the Commission
pertaining to the administrative fine imposed, a cash or surety bond
equivalent to the total amount of fine imposed shall be posted,
exclusive of the damages, attorney’s fees, and other monetary
awards, upon such filing of any action with the appropriate courts.
Non-posting of a cash or surety bond shall result in the immediate
execution of the administrative fine imposed.

The cash or surety bond shall be valid and effective from the
date of deposit or posting until the case is finally decided, resolved,
or terminated, or the administrative fine imposed is satisfied.
In case of a surety bond, the PIC or PIP must (1) post the bond
through a bonding company included in the latest list of bonding
companies accredited by the Supreme Court for Civil Cases and
Special Proceedings, and (2) comply with the requirements of such
bonding company.

966 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-01
Guidelines on Administrative Fines
Circulars
Page 6 of 6

No motion to reduce bond shall be entertained by the Commission.

Section 7. Refusal to Comply. In case of refusal to pay the adjudged

administrative fine under this Circular, the PIC or PIP may be subject
to a Cease and Desist Order (CDO), other processes or reliefs as the
Commission may be authorized to initiate pursuant to Section 7 of
the DPA, and appropriate contempt proceedings under the Rules of
Court.

Notwithstanding the provisions of NPC Circular No. 20-02 or

the Rules on the Issuance of Cease and Desist Orders, the failure to
comply with the Order, Resolution, or Decision of the Commission
may, after notice and hearing, result in the issuance of a CDO.

Section 8. Periodic Review and Modification. This Circular may be

modified, amended, supplemented, or repealed as may be deemed
necessary and proper by the Commission.

Section 9. Separability Clause. In the event that any provision of

this Circular be declared invalid or unconstitutional, the remaining
provisions shall remain effective and in full force and effect.

Section 10. Applicability Clause. These rules apply to PICs and PIPs
for the above infractions prospectively. All issuances inconsistent
with the provisions of this Circular shall be deemed repealed,
amended, or modified accordingly.

Section 11. Effectivity. – This Circular shall take effect fifteen (15)
days following its publication in a newspaper of general circulation.

Approved:

Sgd.
ATTY. JOHN HENRY D. NAGA
Privacy Commissioner

Sgd. Sgd.
ATTY. LEANDRO ANGELO Y. ATTY. DUG CHRISTOPER B.
AGUIRRE MAH
Deputy Privacy Commissioner Deputy Privacy Commissioner

NPC CIRCULAR NO. 2022-01 967

NPC No. 2022-02
Amending Certain Provisions
Circulars
Page 1 of 6

NPC Circular No. 2022-02

NPC No. 2022-02

Date : 01 December 2022

CIRCULARS
Subject : AMENDING CERTAIN PROVISIONS OF NPC CIRCULAR
NO. 20-01 ON THE GUIDELINES ON THE PROCESSING
OF PERSONAL DATA FOR LOAN-RELATED
TRANSACTIONS

SECTION 1. Objective. — This Circular aims to expound on NPC

Circular No. 20-01 to respond to exigencies in the processing of
personal data for loan-related transactions by lending and financing
companies and other persons acting as such.

SECTION 2. Amendments. — The following provisions of NPC

Circular No. 20–01 are hereby amended as stated below:

A. In Section 3(A), fifth and sixth paragraphs shall be inserted to read:

5. LCs, FCs and other persons acting as such shall obtain consent
for the processing of personal data at the point where the personal
data is necessary. They should provide just-in-time notices before
obtaining the consent of the data subjects.

A just-in-time notice provides data subjects with information on

how a particular piece of information he or she is asked to provide
will be processed. This information is provided at the point in time
where the LCs, FCs, or other persons acting as such is about to
process or processes such personal data of the data subject.

6. The most appropriate format in providing details of processing

to borrowers, as required by Section 16 (b) of the DPA and Section
34 (a) (2) of its Implementing Rules and Regulations (IRR), shall be
the format which is aligned with the business processes of the LCs,
FCs, or other persons acting as such, with utmost consideration
to the accessibility of the information and convenience of the
borrowers [e.g., if the loan transaction is being facilitated through
a mobile application, the aforementioned information, shall be
readily accessible and easily located within the mobile application].

B. Section 3 (D) is hereby amended to read as follows:

968 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-02
Amending Certain Provisions
Circulars
Page 2 of 6

D. Where online applications are used for loan processing activities,

LCs, FCs, or other persons acting as such shall be prohibited
from conducting unnecessary processing including requiring
unnecessary permissions that involve personal and sensitive
personal information.

1. Mobile applications shall only require data subjects to provide

access to personal data through permissions or protected
resources when suitable, necessary, and not excessive to the
legitimate purposes provided in Section 3 (B) (1) and Section 3
(C) of this Circular, and debt collection, subject to the limitations
provided by law and in accordance with applicable provisions of
law.

Processing of personal data from application permissions, such

as but not limited to accessing contact lists and cameras of data
subjects, should only commence at the point where the information
is necessary for the purposes provided for in the preceding
paragraph.

In cases where the data subjects provide information that was

not obtained through application permissions, such information
should still be processed in a manner that is not excessive to the
legitimate purpose.

2. When the purpose for accessing an application permission has

already been achieved and there are no other applicable lawful
criteria for such access, such online applications shall prompt the
data subject to turn off, disallow these permissions, or inform the
data subject that access to the relevant application permissions
may already be revoked.

3. Where an online application requires access to the borrower’s

phone camera, or access to the photo gallery to choose a photo
for the legitimate purposes of KYC and preventing fraud at the
beginning of the loan application or for payment verification and
other similar legitimate purposes, permissions for such access may
be allowed during that particular stage in the loan process and
must be turned-off after the fulfillment of such purposes or the
data subject shall be informed when such purposes have been
fulfilled and access to the relevant application permission(s) may
already be revoked.

Where the photo has already been taken and saved in the
application, the application should already turn off the relevant
application permission by default, or at the very least, prompt
the borrower through appropriate means (e.g., just-in time, pop-
up notices) that he or she may already turn off or disallow such
permission as the same is no longer necessary for the operation
of the application. In no way shall the borrower’s photo be used to

RESOLUTION - NPC 19-909 969

NPC No. 2022-02
Amending Certain Provisions
Circulars
Page 3 of 6

harass or embarrass the borrower in order to collect a delinquent

loan or for any unfair collection practices.

4. Access to and processing of contact lists may be allowed for the

purpose of deriving proportional metadata1 about such contact
lists subject to Section 3 (D) (1) and the requirements of Section 4.
“Contact list” refers to any compilation or list of information
maintained by the data subject that enables him or her to
communicate with other individuals. This includes the data subject’s
phone contact lists, email lists, or social media contacts.

Unbridled processing of contact list, in whatever form, is prohibited.

“Unbridled processing” refers to processing, that is unconstrained,
excessive, and disproportional to its purpose such as but is not
limited to:
a) Processing that leads to harassment;
b) Processing for collection of debt outside of the guarantors
provided by the borrower; and
c) Processing that results in unfair collection practices.2

5. Subject to the limitations of the immediately preceding paragraph,

the processing of contact lists for purposes of identifying and
contacting the character references or guarantors provided by the
borrowers themselves is allowed. Online lending applications must
have separate interfaces where borrowers can provide character
references and guarantors of their own choosing. LCs, FCs,
and other persons acting as such may only be provided limited
access to and only to the minimum extent necessary to allow the
borrowers to choose from their phone contact list their character
references and guarantors, if any.

C. The following provisions shall be added to Section 3:

G. LCs, FCs, and other persons acting as such shall, as part of their
registration with the NPC, submit a complete list of the names
of all publicly available applications owned or operated by such
entities including all publicly available online applications used for
loan processing activities, in accordance with the applicable Rules
on Registration of Data Processing Systems and Notifications
regarding Automated Decision-Making;

1
Metadata as used in this Circular is understood to be any information that may define or describe
contact lists.
2
Securities and Exchange Commission, “Prohibition on Unfair Debt Collection Practices of Financing
Companies (FC) and Lending Companies (LC),” SEC Memorandum Circular No. 18, series of 2019 [SEC
MEMO. CIRC. 18, s. 2019], § 1 (19 August 2019): Unfair collection practices are as those which use or
involve threats of use of violence or other criminal means to harm the physical person, reputation or
property of any person, as well as those which use threats to take any action that cannot be legally
taken.

970 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-02
Amending Certain Provisions
Circulars
Page 4 of 6

H. PIPs or third-party service providers operating in the Philippines,

engaged by LCs, FCs, and other persons acting as such, shall
likewise be required to register with the NPC whenever they are
engaged in the processing of personal data under the instructions
of the LCs, FCs, or other persons acting as such;

I. For PIPs or third-party service providers outside the Philippines,

LCs, FCs, and other persons acting as such, shall ensure that
appropriate technical and contractual controls are in place to
ensure appropriate protection in the processing of personal data,
taking into consideration Sections 28 to 29 and 43 to 45 of the IRR
of the DPA;

J. Upon determination of any violation of this Circular, the NPC

shall revoke the registration of the PIC or PIP upon due notice and
after providing the PIC or PIP an opportunity to explain pursuant to
the NPC’s existing rules on revocation of registration; and

K. LCs, FCs, and other persons acting as such or PIPs or third-

party service providers whose Certificate of Registration has
been revoked by the NPC or those determined to have violated
the registration requirements, shall be subject to penalties and
disciplinary measures as provided in the DPA, its IRR and other
issuances of the NPC
.
D. Section 4 is hereby amended to read as follows:

SECTION 4. Character references. — A character reference is a

person whose contact information is provided for verification
of the identity and veracity of the information provided by the
borrower for the grant of a loan.

A. A borrower may be required to provide names and contact

numbers of character references to support the evaluation of the
loan application process. To this end, it shall be the responsibility
of the borrower to inform his or her character reference regarding
the latter’s inclusion as such.

B. LCs, FCs, and other persons acting as such shall adopt policies
and procedures in handling the personal data of such character
references, which may include policies on handling calls.

C. LCs, FCs, and other persons acting as such shall adequately

inform the concerned individuals that they were chosen as
character reference of the loan applicant and how their contact
details were obtained. LCs, FCs and other persons acting as such
shall also provide the character reference with the option of having
his or her personal data removed as a character reference.

RESOLUTION - NPC 19-909 971

NPC No. 2022-02
Amending Certain Provisions
Circulars
Page 5 of 6

D. Contacting character references for purposes other than for the

verification of identity and veracity of the information provided by
the borrower, such as but not limited to, marketing, cross-selling,
or sharing to third parties for purposes of offering other products
or services, is prohibited.

E. A character reference shall not be automatically treated as a

guarantor.

E. A new Section 5 is hereby added to read as follows:

SECTION 5. Guarantors. — A guarantor is one who expressly

binds himself or herself to the creditor to fulfill the obligation of
the individual borrower in case the latter should fail to do so. For
a person to be considered a guarantor, he or she should have
given his or her consent to be a guarantor in accordance with the
provisions of the Civil Code on guaranty.

A. The guarantor’s separate consent must be obtained by the LC, FC

or other persons acting as such, in accordance with the applicable
provisions of the DPA, particularly those on transparency, the right
of data subjects to be informed, and consent as a lawful basis for
processing personal data.

B. For purposes of debt collection, LCs, FCs or persons acting

as such may only contact the guarantor. Contacting persons in
the borrower’s contact list other than those who were named as
guarantors is prohibited in accordance with this Circular and the
applicable issuances of the Securities and Exchange Commission
on unfair debt collection practices.3

F. The succeeding Sections on Credit Data, Outsourcing, Rights of

the data subject are hereby renumbered accordingly:

SECTION 6. Credit Data. — x x x

SECTION 7. Outsourcing. — x x x
SECTION 8. Rights of the data subjects. — x x x

SECTION 3. Transitory Provisions. —All LCs, FCs, and other

persons acting as such shall register all online applications used
for loan processing activities with the NPC in accordance with
the applicable Rules on Registration of Data Processing Systems
and Notifications regarding Automated Decision-Making within
fifteen (15) days after the effectivity of this Circular or within thirty
(30) days from the availability of the NPC’s registration system,
whichever comes later.

3
See: Securities and Exchange Commission, “Prohibition on Unfair Debt Collection Practices of
Financing Companies (FC) and Lending Companies (LC),” SEC Memorandum Circular No. 18, series of
2019 [SEC MEMO. CIRC. 18, s. 2019], § 1 (19 August 2019).

972 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-02
Amending Certain Provisions
Circulars
Page 6 of 6

All online applications which will be made publicly available after the
effectivity of this Circular shall be registered with the Commission
in accordance with Section 2 (C) of this

Circular.

SECTION 4. Separability Clause. — If any portion or provision of

this Circular is declared null and void, or unconstitutional, the other
provisions not affected thereby shall continue to be in force and
effect.

SECTION 5. Repealing Clause. — All other rules, regulations, and

issuances contrary to or inconsistent with the provisions of this
Circular are deemed repealed or modified accordingly.

SECTION 6. Effectivity. — This Circular shall take effect fifteen (15)

days after its publication in the Official Gazette or a newspaper of
general circulation.

Approved:

SGD.
JOHN HENRY D. NAGA
Privacy Commissioner

SGD.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

RESOLUTION - NPC 19-909 973

NPC No. 2022-03
Guidelines for Private Security
Circulars
Page 1 of 7

NPC Circular No. 2022-03

NPC No. 2022-03

Date : 05 December 2022

CIRCULARS
Subject : GUIDELINES FOR PRIVATE SECURITY AGENCIES ON
THE PROPER HANDLING OF CUSTOMER AND VISITOR
INFORMATION

WHEREAS, the National Privacy Commission (NPC) recognizes the vital role of
Private Security Agencies (PSA) and Security Guards in ensuring the safety and
security of persons and properties;

WHEREAS, entities classified as personal information controllers (PICs) under

Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), generally engage
PSAs and Security Guards to secure and control access to identified areas or
properties, among others;

WHEREAS, the NPC received reports concerning the apparent disregard by some
Security Guards of the data privacy rights of customers, visitors, and other data
subjects;

WHEREAS, pursuant to the Philippine National Police-Supervisory Office for

Security and Investigation Agencies Memorandum dated 15 June 2020 and the
Housing and Land Use Regulatory Board Administrative Order 3, Series of 2017
dated 19 May 2017, PSAs and other similar entities engaged by homeowners’
associations (HOA) do not have the authority to require motorists to surrender their
driver’s license, even temporarily, as a condition for entry to gated communities,
as such authority is lodged by law1 only upon the Land Transportation Office
(LTO) or others it may deputize;

WHEREAS, the sole purpose for requiring an Identification Card (ID) from the
customers, visitors, and other data subjects is to verify their identity;
WHEREAS, there is a need to inform and acquaint PSAs and Security Guards with
the proper processing of personal data during the performance of their duties to
avoid violating the rights of data subjects under the DPA;

WHEREAS, Section 11 of the DPA allows the processing of personal information

subject to compliance with the requirements of the DPA and other laws allowing
disclosure of information to the public, and adherence to the general principles of
transparency, legitimate purpose, and proportionality;

1
Land Transportation and Traffic Code, § 29: Confiscation of Driver’s License. – Law enforcement and
peace officers of other agencies duly deputized by the Director shall, in apprehending a driver for any
violation of this Act or any regulations issued pursuant thereto, or of local traffic rules and regulations
not contrary to any provisions of this Act, confiscate the license of the driver concerned and issue a
receipt prescribed and issued by the Bureau therefor which shall authorize the driver to operate a
motor vehicle for a period not exceeding seventy-two hours from the time and date of issue of said
receipt. The period so fixed in the receipt shall not be extended, and shall become invalid thereafter.
Failure of the driver to settle his case within fifteen days from the date of apprehension will be a
ground for the suspension and/or revocation of his license.

974 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Guidelines for Private Security
Circulars
Page 2 of 7

WHEREAS, Section 14 of the DPA states that a PIC may subcontract the
processing of personal information: provided, that the PIC shall be responsible for
ensuring that proper safeguards are in place to ensure the confidentiality of the
personal information processed, prevent its use for unauthorized purposes, and
generally, comply with the requirements of the DPA and other laws for processing
of personal information;

WHEREAS, Section 21 (a) of the DPA further states that a PIC is accountable
for complying with the requirements of the law and shall use contractual or
other reasonable means to provide a comparable level of protection while the
information are being processed by a third party;

WHEREAS, PSAs and Security Guards engaged by a PIC are considered personal
information processors (PIPs) and are also bound to observe the requirements of
the DPA and other applicable laws;

WHEREAS, pursuant to Section 7 of the DPA, the NPC is charged with the
administration and implementation of the provisions of the law, which includes
ensuring the compliance by PICs with the provisions of the DPA, and carrying
out efforts to formulate and implement plans and policies that strengthen the
protection of personal information in the country, in coordination with other
government agencies and the private sector;

WHEREAS, Section 9 of the Implementing Rules and Regulations of the DPA (IRR)
provides that the Commission shall, among its other functions, develop, promulgate,
review or amend rules and regulations for the effective implementation of the law;

WHEREFORE, in consideration of the foregoing premises, and without prejudice

to the application of other pertinent laws and regulations on the matter, the NPC
hereby issues this Circular that prescribes the guidelines for PICs as well as PSAs
and Security Guards acting as PIPs, on the proper handling of data subjects’
personal data.

SECTION 1. Scope. — This Circular shall apply to all PICs, and to PSAs and Security
Guards acting as PIPs, in the processing of personal data of customers, visitors,
and other data subjects as part of their security services.

SECTION 2. Definition of Terms. — The definition of terms in the DPA and its IRR,
as amended, are adopted herein. In addition, whenever used in this Circular, the
following terms shall mean or be understood as follows:

A. “Private Security Agency” or “PSA” refers to any person or entity

engaged in contracting, recruitment, training, furnishing, or posting of
Security Guards and other private security personnel to individuals,
corporation, offices, and organizations, whether private or public, for their
security needs as the Philippine National Police (PNP) may approve;2

2
See: Department of Labor and Employment, Revised Guidelines Governing the Employment and
Working Conditions of Security Guards and other Private Security Personnel in the Private Security
Industry, Department Order No. 150-16, series of 2016 [DOLE DO No. 150-16], § 2 (i) (Feb. 9. 2016).

RESOLUTION - NPC 19-909 975

NPC No. 2022-03
Guidelines for Private Security
Circulars
Page 3 of 7

B. “Security Guard” refers to any person who offers or renders personal

service to watch or secure either a residence, business establishment,
buildings, compounds, areas, or property, inspects, monitors, or performs
bodily checks or searches of individuals or baggage, and other forms of
security inspection,3 as authorized by the PIC or by the PSA to perform
such functions, regardless of his or her designation;

C. “Service Agreement” refers to the contract between the PIC and the
PSA acting as a PIP containing the terms and conditions governing the
performance or completion of security service, jobs, or work being farmed
out for a definite or predetermined period;4

D. “Subcontracting” refers to the outsourcing, assignment, or delegation

of the processing of personal data by a PIC to a PIP. In this arrangement,
the PIC retains control over the processing;

E. “Subcontracting Agreement” refers to a contract, agreement, or any

similar document which sets out the obligations, responsibilities, and
liabilities of the parties to a subcontracting arrangement. It shall contain
mandatory stipulations prescribed by the IRR.

SECTION 3. General Obligations of PICs engaging the services

of PSAs. — All PICs engaging the services of PSAs shall have the
following obligations:
A. Transparency. PICs, in coordination with the PSAs, shall be responsible
for developing a privacy notice in clear and plain language which shall
explain to all customers, visitors, and other data subjects:

1. The purpose of collecting personal data, e.g., monitoring or

controlling access to premises for the security, safety, and protection
of persons and properties, pursuant to legitimate interests (for private
sector PICs) or laws and regulations (for government PICs);
2. The security measures implemented to safeguard personal data;
3. The fact that the personal data collected, whether manually or
through electronic systems, shall be turned over to the pertinent PIC
who engaged the PSA or the Security Guard;
4. The retention period of personal data; and
5. Their rights as a data subject and mechanisms on how to exercise
the same;

B. Proportionality. PICs shall observe proportionality in all personal data

processing activities including those outsourced or subcontracted
to PSAs. They shall not require PSAs acting as PIPs as well as the
Security Guards to access, record, copy, or otherwise collect any
sensitive personal information for purposes of ascertaining the identity
of an individual, nor shall they direct them to keep ID cards containing
sensitive personal information.
3
Id. § 2 (h).
4
DOLE DO No. 150-16, § 2 (j).

976 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Guidelines for Private Security
Circulars
Page 4 of 7

However, PICs may instruct PSAs and authorized Security Guards to

visually examine a government-issued ID within a reasonable time:
provided, that there is prior sufficient explanation to the data subject
of the necessity of processing sensitive personal information for that
purpose: provided further, that the government-issued ID shall not be
kept by the PSA or authorized Security Guards.

C. Accountability. PICs shall use contractual or other reasonable means

to ensure that proper safeguards are in place to guarantee the
confidentiality, integrity, availability of the personal data processed,
and to prevent its use for unauthorized purposes. PICs shall ensure that
a Subcontracting Agreement or Service Agreement is executed with
PSAs prior to any personal data processing activity. Such agreement
shall contain the following:

1. The subject-matter and duration of the processing;

2. The nature and purpose of the processing;
3. The type/s of personal data that will be processed;
4. The categories of data subjects;
5. The geographic location of the processing under the agreement;
6. The obligations and rights of PICs;
7. The specific obligations of PSAs taking into consideration the
mandatory stipulations under Section 44 (b) of the IRR of DPA; and
8. The duty of PSAs to comply with the requirements of the DPA and its
IRR, other relevant issuances of the Commission, other applicable
laws, and any other obligations with the PICs.

D. Safeguards. PICs shall ensure that reasonable and appropriate

safeguards are in place for the processing of personal data by PSAs
and their Security Guards which include, but are not limited to:

1. Appropriate data protection policies that provide for organizational,

physical, and technical security measures, taking into account the
nature, scope, context and purpose of the processing, as well as
the risks posed to the rights and freedoms of data subjects;
2. Clear and adequate instructions on the processing of personal data,
whether in paper-based or electronic systems, including the strict
protocols to be observed by Security Guards in the processing of
sensitive personal information, where justified, as provided under
Section 3(B) of this Circular;
3. Reasonable retention period of personal data as well as the method
to be adopted for the secure return, destruction, or disposal of the
same and the timeline therefor, taking into account the purpose
for which the personal data was obtained and the provisions of the
applicable Subcontracting Agreement or Service Agreement.

RESOLUTION - NPC 19-909 977

NPC No. 2022-03
Guidelines for Private Security
Circulars
Page 5 of 7

a. The retention of personal data shall only be limited to the time necessary
for the fulfillment of the declared, specified, and legitimate purpose/s,
or when the processing relevant to the purpose has been terminated.
b. For government agencies, the retention period under the applicable law
shall be observed.5

SECTION 4. Obligations of PSAs acting as PICs. — All PSAs acting

as PICs shall have the following obligations:

A. Registration. All PSAs acting as PICs shall register with the Commission
in accordance with the applicable Rules on the Registration of Data
Processing Systems and Notifications regarding Automated Decision-
Making;

B. Training. PSAs shall provide trainings on the DPA, its IRR, and other
relevant issuances of the Commission to all Security Guards prior to
their assignment or deployment.

1. The orientation shall include an overview on the proper handling

of personal data that comes to their knowledge and possession
in the course of providing security services, the requirement to
maintain confidentiality, integrity, and availability of personal data,
and the corresponding sanctions for any unauthorized processing
of personal data;
2. The conduct of the training shall be properly documented at all
times. The Commission may require the submission of the same in
accordance with the applicable provisions of the DPA, its IRR, and
other issuances on the matter;

C. Inspection. All PSAs shall ensure that all Security Guards assigned or
deployed are complying with the requirements of the DPA. For this
purpose, PSAs shall conduct regular onsite visits in establishments
where its Security Guards are assigned or deployed.

SECTION 5. Obligations of PSAs acting as PIPs. — All PSAs acting

as PIPs shall have the following obligations:

A. Privacy Notice. PSAs shall make reasonable efforts to notify the data
subjects of the relevant information about the processing of their
personal data through a privacy notice developed by the PIC in
coordination with the PSAs.

B. Proportionality. For purposes of ascertaining the identity of an individual,

PSAs and authorized Security Guards shall not access, record, copy,

5 See: National Archives of the Philippines, General Records Disposition Schedule common to all
Government Agencies, series 2009 which provides for the retention period of two (2) years after date
of last entry for logbooks (available at https://nationalarchives.gov.ph/wp-content/uploads/2015/04/
NAP-Gen.-Circular-1-2-and-GRDS-2009.pdf).

978 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Guidelines for Private Security
Circulars
Page 6 of 7

or otherwise collect any sensitive personal information such as date

of birth, government-issued ID numbers, images of government-
issued IDs, nor shall they keep ID cards containing sensitive personal
information.

However, PSAs and authorized Security Guards may be allowed to

examine a government-issued ID within a reasonable time: provided, that
there is prior sufficient explanation to the data subject of the necessity
of processing sensitive personal information for that purpose: provided
further, that the government-issued ID shall not be kept by the PSA or
authorized Security Guards.

C. Security measures. PSAs and their Security Guards shall, in coordination

with the PIC, implement appropriate security measures that:

1. Aim to maintain the availability, integrity, and confidentiality of personal

data processed;
2. Provide adequate protection against any accidental or unlawful
destruction, alteration, disclosure, and unlawful processing, as well as
against natural and human dangers such as unlawful access, fraudulent
misuse, unlawful destruction, alteration and contamination.

PSAs and Security Guards shall, at all times, ensure that entries consisting
of personal data in the logbooks, health forms, and other records are not
visible to or accessible by unauthorized persons, employees, or other data
subjects to prevent unlawful processing of personal data.

D. Assistance. PSAs acting as PIPs and its Security Guards shall cooperate
with the relevant PIC in addressing any requests for the exercise of
data subject rights. PSAs shall not engage another PIP without prior
instruction from the PIC.

E. Inspection. PSAs acting as PIPs shall allow audits and inspections

conducted by the PIC or another auditor authorized by such PIC.

SECTION 6. Penalties. — The processing of personal data in violation

of this Circular shall carry criminal, civil, and administrative liability
pursuant to the provisions of the DPA and related issuances of the
Commission. This is without prejudice to the administrative penalties
that may be imposed under Republic Act No. 5487 or “An Act to
Regulate the Organization and Operation of Private Detective,
Watchmen or Security Guards Agencies” and other applicable laws.

SECTION 7. Interpretation. —Any doubt in the interpretation of any

provision of this Circular shall be liberally interpreted in a manner
mindful of the rights and interests of the data subjects.

RESOLUTION - NPC 19-909 979

NPC No. 2022-03
Guidelines for Private Security
Circulars
Page 7 of 7

SECTION 8. Transitory Provisions. — PICs and PSAs acting as PIPs

shall be given a period of sixty (60) days from the effectivity of
these Guidelines to comply with the requirements provided herein.
SECTION 9. Separability Clause. — If any portion or provision of
this Circular is declared null and void, or unconstitutional, the other
provisions not affected thereby shall continue to be in force and
effect.

SECTION 10. Repealing Clause. — All other rules, regulations, and

issuances contrary to or inconsistent with the provisions of this
Circular are deemed repealed or modified accordingly.

SECTION 11. Effectivity. — This Circular shall take effect fifteen (15)
days after its publication in the Official Gazette or a newspaper of
general circulation.

Approved:

SGD.
JOHN HENRY D. NAGA
Privacy Commissioner

SGD.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

980 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 1 of 21

NPC Circular No. 2022-04

NPC No. 2022-04

Date : 05 December 2022

CIRCULARS
Subject : REGISTRATION OF PERSONAL DATA PROCESSING
SYSTEM, NOTIFICATION REGARDING AUTOMATED
DECISION-MAKING OR PROFILING, DESIGNATION OF
DATA PROTECTION OFFICER, AND THE NATIONAL
PRIVACY COMMISSION SEAL OF REGISTRATION

WHEREAS, Article II, Section 24, of the 1987 Constitution

provides that the State recognizes the vital role of communication
and information in nation-building. At the same time, Article II,
Section 11 thereof emphasizes that the State values the dignity of
every human person and guarantees full respect for human rights;
WHEREAS, Section 2 of Republic Act No. 10173, also known as
the Data Privacy Act of 2012 (DPA), provides that it is the policy
of the State to protect the fundamental human right of privacy of
communication while ensuring free flow of information to promote
innovation and growth. The State also recognizes its inherent
obligation to ensure that personal information in information and
communications systems in the government and in the private sector
are secure and protected;

WHEREAS, Section 16 of the DPA and Section 34 of its

Implementing Rules and Regulations (IRR) provide that data subjects
shall be furnished with and given access to their personal data that
are being processed in Data Processing System, as well as the
purpose, scope, method, and manner of such processing, including
the existence of automated decision-making;

WHEREAS, pursuant to Section 7 of the DPA, the National

Privacy Commission (NPC) is charged with the administration and
implementation of the provisions of the law, which includes ensuring
the compliance by a personal information controller (PIC) with the
provisions thereof, publishing a compilation of an agency’s system
of records and notices, and carrying out efforts to formulate and
implement plans and policies that strengthen the protection of
personal data, in coordination with other government agencies and
private entities;

NPC CIRCULAR NO. 2022-04 981

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 2 of 21

WHEREAS, Section 9 of the IRR provides that, among the

NPC’s functions, is to develop, promulgate, review, or amend rules
and regulations for the effective implementation of the DPA;

WHEREAS, Section 24 of the DPA states that, when entering

into any contract that may involve accessing or requiring sensitive
personal information from at least one thousand (1,000) individuals,
a government agency shall require the contractor and its employees
to register its personal information processing system with the NPC
in accordance with the DPA and to comply with the law’s provisions.
Furthermore, Section 14 of the DPA mandates that a personal
information processor (PIP) shall also comply with all requirements
of the DPA and other applicable laws;

WHEREAS, in line with Sections 46 and 47 of the IRR, a PIC or

PIP that employs fewer than two hundred fifty (250) persons shall
not be required to register unless the processing it carries out is
likely to pose a risk to the rights and freedoms of data subjects, is not
occasional, or includes sensitive personal information of at least one
thousand (1,000) individuals. Moreover, Section 48 thereof declares
that a PIC carrying out any automated processing operation that is
intended to serve a single or several related purposes must notify
the NPC when the operation becomes the sole basis for making
decisions about a data subject, and when such decision would
significantly affect the data subject;

WHEREAS, Sections 46 and 47, Rule XI of the IRR also require

the effective and efficient monitoring of a Data Processing Systems
that are likely to pose a risk to the rights and freedoms of data
subjects including those that involve information likely to affect
national security, public safety, public order, or public health or
information required by applicable laws or rules to be confidential;
vulnerable data subjects like minors, the mentally ill, asylum seekers,
the elderly, patients, those involving criminal offenses, or in any
other case where an imbalance exists in the relationship between a
data subject and a PIC or PIP, especially those involving automated
decision-making or profiling;

WHEREFORE, in consideration of these premises, the

NPC hereby issues this Circular governing the registration of

982 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 3 of 21

Data Processing System and Data Protection Officer, notification

regarding automated decision-making or profiling, and the NPC seal
of registration:
PRELIMINARY PROVISIONS

SECTION 1. Scope. The provisions of this Circular shall apply to

any natural or juridical person in the government or private sector
processing personal data and operating in the Philippines, subject
to the relevant provisions of the DPA, its IRR, and other applicable
issuances of the NPC.

SECTION 2. Definition of Terms. For the purpose of this Circular, the

definition of terms in the Data Privacy Act of 2012 and it’s IRR are
adopted, and the following terms are defined, as follows:

A. “Automated Decision-making” refers to a wholly or partially

automated processing operation that can make decisions
using technological means totally independent of human
intervention; automated decision-making often involves
profiling;

B. “Common DPO” refers to an individual who is a member of a

group of related companies or an individual consultant under
contract with several separate PICs and PIPs who is appointed
or designated to be primarily responsible for ensuring the
compliance of each of the concerned entities with the DPA,
its IRR and all other relevant issuances of the Commission;

C. “Compliance Officer for Privacy” or “COP” refers to an individual

that performs the functions or some of the functions of a DPO
in a particular region, office, branch, or area of authority;

D. “Data Protection Officer” or “DPO” refers to an individual

designated by the head of agency or organization to ensure
its compliance with the Act, its IRR, and other issuances of the
Commission: Provided, that, except where allowed otherwise
by law or the Commission, the individual must be an organic
employee of the government agency or private entity:
Provided further, that a government agency or private entity
may not have more than one DPO;

NPC CIRCULAR NO. 2022-04 983

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 4 of 21

E. “Data sharing” is the sharing, disclosure, or transfer to a third party

of personal data under the custody of a personal information
controller to one or more other personal information controllers;
In the case of a personal information processor, data sharing
should only be allowed if it is carried out on behalf of and
upon the instructions of the personal information controller it
is engaged with via a subcontracting agreement. Otherwise,
the sharing, transfer, or disclosure of personal data that is
incidental to a subcontracting agreement between a personal
information controller and a personal information processor
should be excluded.

F. “Government Agency” refers to a government branch,

body, or entity, including national government agencies,
instrumentalities, bureaus, or offices, constitutional
commissions, local government units, government-owned
and controlled corporations and subsidiaries, government
financial institutions, state colleges and universities;
G. “Head of Agency” refers to:

1. the head of the government entity or body, for national

government agencies, constitutional commissions or
offices, or branches of the government;

2. the governing board or its duly authorized official for

government-owned and
- controlled corporations, government financial institutions,
and state colleges and universities;

3. the local chief executive, for local government units;

H. “Head of Organization” refers to the head or decision-

making body of a private entity or organization;
For private organizations or government-owned and
controlled corporations organized as private corporations,
the Head of Organization may be the President, the Chief
Executive Officer, or the Chairman of the Board of Directors
or any officer of equivalent rank in the organization.

I. “Individual Professional” refers to individuals who are self-

employed and who derive income practicing their professions,
with or without license from a regulatory board or body, not

984 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 5 of 21

being part of a partnership, firm, or other organization, which

should otherwise be registered as a personal information
controller, and which practice includes the processing of
personal data. The individual professional is the de facto DPO;

J. “Operating in the country” refers to PICs and PIPs who,

although not founded or established in the Philippines, use
equipment that are located in the Philippines, or those who
maintain an office, branch, or agency in the Philippines;

K. “Private entity” or “Private organization” refers to any natural

or juridical person that is not a unit of the government, including,
but not limited to, a corporation, partnership, company, non-
profit organization, or any other legal entity;

L. “Profiling” refers to any form of automated processing of data

consisting of the use of personal data, such as an individual’s
economic situation, political or religious beliefs, behavioral
or marketing activities, personal preferences, electronic
communication data, location data, and financial data, among
others, in order to evaluate, analyze, or predict his or her
performance, qualities, and behavior, among others;

M. “Registration information” refers to the completed registration

details as inputted by the registrant into the NPC’s official
registration platform.

SECTION 3. Purpose. This Circular establishes the following:

A. The framework for registration of Data Processing Systems

in the Philippines, including online web-based and mobile
applications that process personal data;

B. The mandatory or voluntary registration of Data Protection

Officers (DPO) in both the government and private entities as
hereby prescribed in the succeeding sections; and

C. The imposition of other requirements to achieve the following

objectives:

NPC CIRCULAR NO. 2022-04 985

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 6 of 21

1. ensure that PICs and PIPs covered by this Circular and as

provided for in the succeeding sections are able to register
its DPO;

2. ensure that PICs and PIPs keep a record of their data

processing activities;

3. guarantee that information about Data Processing System

owned by PICs or PIP operating in the country are made
accessible to the Commission to enable a more efficient
compliance monitoring process and uphold the exercise of
data subject rights under the DPA; and
4. promote transparency and accountability in the processing
of personal data.

SECTION 4. General Principles. This Circular shall be governed by

the following general principles:

A. Registration of an entity’s Data Processing System and DPO

with the Commission shall be one of the means through which
a PIC or PIP demonstrates its compliance with the DPA, its
IRR, and other relevant issuances of the NPC.

B. Registration information submitted by a PIC or PIP to the

NPC are presumed to contain all required information on its
Data Processing System that are active or existing during
the validity of such registration. Any information excluded
therefrom are deemed nonexistent.

C. Registration information submitted by a PIC or PIP to the NPC

on the identity and official contact details of the designated
DPO shall remain effective unless otherwise amended or
updated in accordance with the process in this Circular.
D. Unless otherwise provided in this Circular, any information,
file, or document submitted by a PIC or PIP to the NPC shall
be kept confidential.

E. Any doubt in the interpretation of the provisions of this

Circular shall be liberally interpreted in a manner that would
uphold the rights and interests of data subjects.

986 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 7 of 21

REGISTRATION OF DATA PROCESSING SYSTEM

AND DATA PROTECTION OFFICER

SECTION 5. Mandatory Registration. A PIC or PIP that employs two

hundred fifty (250) or more persons, or those processing sensitive
personal information of one thousand (1,000) or more individuals,
or those processing data that will likely pose a risk to the rights and
freedoms of data subjects shall register all Data Processing Systems.

A. A Data Processing System processing personal or sensitive

personal information involving automated decision-making
or profiling shall, in all instances, be registered with the
Commission.

B. A PIC or PIP shall register its own Data Processing System.

In instances where the PIC provides the PIP with the system,
the PIC is obligated to register the same. A PIC who uses a
system as a service shall register the same indicating the fact
that processing is done through a service provider. A PIP who
uses its own system as a service to process personal data
must register with the Commission.

C. A PIC or PIP who is an Individual Professional for mandatory

registration shall register with the Commission. For this
purpose, the following shall be considered:

1. An Individual Professional is self-employed and practicing

his or her profession as defined under this Circular;

2. A business establishment, if registered as a PIC and

operating under a different business name, partnership,
firm, or other organization, shall not register separately as
an Individual Professional;

3. An Individual Professional shall be considered as the de

facto DPO.

SECTION 6. Voluntary Registration. An application for registration

by a PIC or PIP whose Data Processing System does not operate
under any of the conditions set out in the preceding Section may
register voluntarily following the process outlined in this Circular.

NPC CIRCULAR NO. 2022-04 987

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 8 of 21

A PIC or PIP who does not fall under mandatory registration and
does not undertake voluntary registration shall submit a sworn
declaration (see Annex 1). The Commission through an Order may
require a PIC or PIP to submit supporting documents related to this
submission.

SECTION 7. When to Register. A covered PIC or PIP shall register

its newly implemented Data Processing System or inaugural DPO in
the NPC’s official registration platform within twenty (20) days from
the commencement of such system or the effectivity date of such
appointment.
In the event a covered PIC or PIP seeks to apply minor amendments
to its existing registration information, which includes updates on an
existing Data Processing System, or a change in DPO, the PIC or PIP
shall update the system within ten (10) days from the system update
or effectivity of the appointment of the new DPO.

SECTION 8. Authority to Register. A PIC or PIP shall file its application

for registration through its designated DPO. A PIC or PIP shall only
be allowed to register one (1) DPO, provided that in cases where
a PIC or PIP has several branches, offices, or has a wide scope of
operations, the PIC or PIP may designate one (1) or more Compliance
Officers for Privacy (COP) who shall then be indicated as such in the
DPO registration. Approval of the Commission is not required for
COP designations.

A COP shall always be under the direct supervision of the DPO.

Under no circumstance shall the registered COP be treated as a DPO
unless the DPO registration is amended to reflect such changes.
Further, in cases where a COP is designated by the PIC or PIP, the
registration shall be accompanied by the list of COPs clearly indicating
the branch, office, unit, or region to which they are assigned along
with the official e-mail address and contact number.

In all cases, a PIC or a PIP is required to provide its DPO’s dedicated

e-mail address that should be separate and distinct from the
personal and work e-mail of the personnel assigned as a DPO. The
DPO’s dedicated e-mail address must be maintained at all times to
ensure that the Commission is able to communicate with the PIC and
PIP. In case the individual designated as DPO vacates the position,
the PIC or PIP should designate an interim DPO to monitor any
communications sent through the official DPO e-mail address.

988 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 9 of 21

A Common DPO shall be allowed so long as entities are registered

separately. The Common DPO shall register each entity individually.
Approval of the Commission is not required for Common DPO
appointments.

An Individual Professional shall register himself or herself as the DPO.

In cases where the Individual Professional contracts another person
to act as DPO he or she shall indicate such fact and provide the
required contact details of such person in the registration record.
The Commission through an Order may require a PIC or PIP to submit
supporting documents related to this submission.

SECTION 9. Registration Process. A PIC or PIP shall create an account

by signing up in the NPC’s official registration platform where it shall
provide details about the entity.

A. Upon signing up, the PIC or PIP shall input the name and contact
details of the DPO together with a unique and dedicated
email address, specific to the position of DPO pursuant to the
provisions of the fourth paragraph of Section 8.
B. During registration proper, the PIC or PIP shall encode the
name and contact details of the Head of the Organization or
Head of Agency.
C. The prescribed application form shall be accomplished and
shall be uploaded together with all supporting documents as
provided under Section 11.
D. The details of all Data Processing System owned by the PIC
or PIP shall be encoded into the platform. All Data Processing
System of the PIC or PIP at the time of initial registration must
be encoded into the system.
E. The PIC or PIP shall identify and register all publicly facing
online mobile or web-based applications in accordance with
Section 3(A).
F. The submissions of the PIC or PIP shall undergo review and
validation by the Commission. In case of any deficiency, the
PIC or PIP shall be informed of the same and shall be given
five (5) days to submit the necessary requirements. Once the
submissions have been validated and considered complete,
the PIC or PIP shall be informed that the Certificate of
Registration is available for download.

NPC CIRCULAR NO. 2022-04 989

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 10 of 21

An Individual Professional shall register only under his or her name,

and indicate his or her principal business address and contact details.
Registration through physical submission of requirements is not
allowed.

SECTION 10. Mandatory Appointment of DPO in the Government. A

Government Agency is required to designate and register a DPO with
a rank not lower than an Assistant Secretary or Executive Director
IV in case the highest ranking official is a Department Secretary
or a position of equivalent rank; at least Director IV level in case
the highest ranking official is an Undersecretary or a position of
equivalent rank; at least Director II level in case the highest ranking
official is an Assistant Secretary or a position of equivalent rank;
and at least a Division Chief in case the highest ranking official is a
Regional Director or a position of equivalent rank.

For Local Government Units (LGUs), the Provincial, City and Municipal
levels shall designate and register a DPO with a rank not lower than
Department Head.

Cities and Municipalities can designate a COP at the Barangay level,

provided that the COP shall be under the supervision of the DPO of
the corresponding City, or Municipality that the Barangay is part of.

SECTION 11. Application Form. An application for registration filed

by a PIC or PIP must be duly notarized and be accompanied by the
following documents:

A. For government agencies:

Special or Office Order, or any similar document,

designating or appointing the DPO of the PIC or PIP;

B. For domestic private entities:

1. For Corporations:

a) (1) duly notarized Secretary’s Certificate authorizing

the appointment or designation of DPO, or (2) any
other document demonstrating the validity of the
appointment or designation of the DPO signed by
the Head of the Organization with an accompanying

990 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 11 of 21

valid document conferring authority to the Head

of Organization to designate or appoint persons to
positions in the organization.

b) Securities and Exchange Commission (SEC) Certificate

of Registration.

c) certified true copy of latest General Information Sheet.

d) valid business permit.

2. For One Person Corporation

a) (1) duly notarized Secretary’s Certificate authorizing

the appointment or designation of DPO, or (2) any
other document that demonstrates the validity of the
appointment or designation of DPO signed by the sole
director of the One Person Corporation.

b) SEC Certificate of Registration

c) valid business permit.

3. For Partnerships

a) duly notarized Partnership Resolution or Special Power

of Attorney authorizing the appointment or designation
of DPO, or any other document that demonstrates the
validity of the appointment or designation.

b) SEC Certificate of Registration.

c) valid business permit.

4. Sole Proprietorships:
a) duly notarized document appointing the DPO and
signed by the sole proprietor, in case the same should
elect to appoint or designate another person as DPO.

b) DTI Certificate of Registration.

c) valid business permit.

NPC CIRCULAR NO. 2022-04 991

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 12 of 21

C. For foreign private entities:

1. Authenticated copy or Apostille of Secretary’s Certificate

authorizing the appointment or designation of DPO, or
any other document that demonstrates the appointment
or designation, with an English translation thereof if in a
language other than English.

2. Authenticated copy or Apostille of the following documents,

with an English translation thereof if in a language other
than English, where applicable:

a) Latest General Information Sheet or any similar

document.
b) Registration Certificate (Corporation, Partnership, Sole
Proprietorship) or any similar document.
c) valid business permit or any similar document.

SECTION 12. Details of Registration. In the NPC’s online registration

platform, a PIC or PIP shall provide the following registration
information:

A. details of the PIC or PIP, the Head of Agency or Organization,

and the Data Protection Officer.

1.) name and contact details of the PIC or PIP, Head of Agency
or Organization, and DPO as well as the designated COP,
if any, with supporting documents.

2.) a unique and official email address specific to the position

of DPO of the
PIC or PIP, and not with the person who is the DPO.

3.) primary purpose of the private entity or the constitutional

or statutory mandate of the government agency;

B. brief description per Data Processing System:

1.) name of the system;

2.) basis for the processing of information;

992 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 13 of 21

3.) purpose or purposes of the processing;

4.) whether processing is being performed as a PIC or PIP, if an

organization uses the same system as a PIC and as a PIP,
then the organization shall register such usage separately;

5.) whether the system is outsourced or subcontracted, and if

so, the name and contact details of the PIP;

6.) description of the category or categories of data subjects,

and their personal data or categories thereof;

7.) recipients or categories of recipients to whom the personal

data might be disclosed;

8.) description of security measures (Organizational, Physical,

and Technical)

9.) general information on the Data Life Cycle (Time, Manner,

or Mode of Collection, Retention Period, and Disposal/
Destruction/Deletion Method/Procedure)

10.) whether personal data is transferred outside of the

Philippines; and 11.) the existence of Data Sharing
Agreements with other parties;

C. Identify all publicly facing online mobile or web-based

applications, including internal apps with PIC or PIP employees
as clients.

D. Notification regarding any automated decision-making

operation or profiling.
SECTION 13. Certificate of Registration. The Commission shall
issue a Certificate of Registration in favor of a PIC or PIP, that has
successfully completed the registration process. The Certificate of
Registration shall only be considered as proof of such registration
and not a verification of the contents thereof.

Any party may request, in writing, an authenticated copy of the

Certificate of Registration of a PIC or PIP, subject to payment of
reasonable fees covered by a separate issuance for this specific
purpose.

NPC CIRCULAR NO. 2022-04 993

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 14 of 21

SECTION 14. Validity. A Certificate of Registration shall be valid for

one (1) year from its date of issuance; provided, that the certificate
may be revoked by the Commission on any of the grounds provided
for under Section 35 of this Circular and upon service of a Notice of
Revocation to the PIC or PIP.

SECTION 15. Verification. The Commission may, at any time, verify

any or all registration information provided by a PIC or PIP through
its compliance check function. Through a privacy sweep of publicly
available information, notices of document submission or during
on-site examination of the Data Processing System, all relevant
documents shall be made available to the Commission.

SECTION 16. Amendments or Updates. Subject to reasonable fees

that may be prescribed by the Commission, major amendments to
registration information shall be made within thirty (30) days from
the date such changes take into effect. Major amendments are the
changes to the following:

(a) Name of the PIC or PIP; and

(b) the Office Address of the PIC or PIP.

Minor updates shall be made within ten (10) days from the date such
changes take into effect. Updates shall include all other information
other than those covered as a major amendment.

The PIC or PIP shall fill-up the necessary form and submit
accompanying supporting documents when required.

SECTION 17. Non-Registration. A PIC or PIP shall be considered as

unregistered under the following circumstances:

A. failure to register with the Commission in accordance with

Section 7 of this Circular;

B. expiration and non-renewal of Certificate of Registration;

C. non-submission of any deficiency in supporting documents

within five (5) days from notice;

D. rejection or disapproval of an application for registration, or

an application for renewal of registration; or

994 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 15 of 21

E. revocation of the Certificate of Registration.

SECTION 18. Renewal. A PIC or PIP may only renew its registration
thirty (30) days before the expiration of the one-year validity of its
Certificate of Registration.

SECTION 19. Reasonable Fees. To recover administrative costs,

the Commission may require the payment of reasonable fees for
registration, renewal, and other purposes in accordance with a
schedule that shall be provided in a separate issuance.

SECTION 20. Imposition of Administrative Fines. A PIC or PIP covered

by Mandatory Registration who shall be in violation of the same,
shall be subject to the corresponding fine in accordance with the
Guidelines on Administrative Fines.

A PIC or PIP who failed to comply with an Order of the Commission to

submit documents in relation to Section 5(A) and the last paragraph
of Section 8 shall be liable for failure to register and failure to comply
with an Order of the Commission.

SECTION 21. Inaccessible DPO Accounts. In case a DPO account

was not properly transferred, or in cases of inaccessibility to the
registration platform due to lost credentials, or upon failure of a
prior DPO to properly turn over the accountability to the registration
platform, the PIC or PIP shall submit a notarized letter of explanation
or any similar document as justification as to why the DPO account
was lost or not properly transferred without prejudice to any
administrative finding of failure to register or to update registration.
Subject to reasonable fees that may be prescribed by the
Commission, the Head of Agency or Head of Organization may
request the retrieval of the account.

SECTION 22. Withdrawal of Registration. Withdrawal of registration

of information due to cessation of business, or in cases when personal
data processing is no longer done or for other similar reasons, shall
be made in writing and accompanied by supporting documents
such as certified photocopy of SEC Certificates of Dissolution of
corporation, or board resolutions, within two (2) months from the date
such cessation takes effect which shall be submitted electronically
via email. It shall be presumed that the PIC or PIP is still processing
personal information or is still operating its business in the absence

NPC CIRCULAR NO. 2022-04 995

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 16 of 21

of an application for the withdrawal of registration. Verily, a PIC or

PIP may still be a subject of a compliance check absent any showing
that such withdrawal has been applied for.

In case of death of an Individual Professional registrant, withdrawal

may be done by the next of kin through written notification with
a copy of the death certificate attached as proof which shall be
submitted electronically via email.

REGISTRY OF DATA PROCESSING SYSTEM

SECTION 23. Maintenance of Registry. The Commission shall maintain

a registry of PICs and PIPs, and of the Data Processing Systems,
and designated or appointed Data Protection Officers in electronic
format.

SECTION 24. Removal from Registry. The registration information of

a PIC or PIP may be removed from the registry, upon prior notice by
the Commission, on any of the following grounds:

A. Incomplete registration;

B. Expiration and non-renewal of registration;

C. Revocation of Certificate of Registration;

D. Expired and void registration; or

E. Withdrawal of registration by the PIC due to cessation of

business, cessation of personal data processing, or death of
the Individual Professional registrant.

Except for Section 24(E), the PIC or PIP is given fifteen (15) days
from notice to answer and explain why its removal should not be
effected.

SECTION 25. Non-inclusion of Confidential Information. Information

classified by the Constitution or any statute as confidential shall not
be included in the registry.

996 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 17 of 21

NOTIFICATION REGARDING
AUTOMATED DECISION-MAKING OR PROFILING

SECTION 26. Notification of Automated Decision-Making or

Profiling. A PIC or PIP that carries out any automated decision-
making operation or profiling shall indicate in its registration record
and identify the Data Processing System involved in the automated
decision-making or profiling operation.

The PIC or PIP shall also include information on the following:

A. lawful basis for processing personal data;

1. Other relevant information pertaining to the specified lawful

basis specifying the specific law or regulation among
others.

If consent is used as the basis for processing, submission of

the following:

i. consent form used; or

ii. other manner of obtaining consent.

B. retention period for the processed data;

C. methods and logic utilized for automated processing; and

D. possible decisions relating to the data subject based on the

processed data, particularly if the decisions would significantly
affect the data subject’s rights and freedoms.

SECTION 27. When to Notify. Notification regarding automated

decision-making and profiling shall be included in the registration
information that will be provided by a PIC or PIP, as indicated in
Section 12 of this Circular, or through amendments or updates to
such registration information, as per Section 16 of this Circular, within
the prescribed periods.

SECTION 28. Availability of Additional Information. Upon request

by the Commission, a PIC or PIP shall make available additional
information and supporting documents pertaining to its automated
decision-making or profiling operation.

NPC CIRCULAR NO. 2022-04 997

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 18 of 21

NATIONAL PRIVACY COMMISSION

SEAL OF REGISTRATION

SECTION 29. Issuance of Seal of Registration. The Seal of Registration

shall be issued simultaneously with the Certificate of Registration
which will also be available for download.

SECTION 30. Standard Information. The Seal of Registration shall

contain the following information:

A. The word “Registered” indicating that the PIC or PIP has

registered its DPS and DPO with the Commission;

B. The validity period of the registration;

C. A unique QR code for easy verification of registration indicating

the following:

1. Name of the PIC or PIP;

2. Registered DPO email; and
3. Validity of registration

SECTION 31. Validity. The Seal of Registration shall be valid for one
(1) year from the date of issuance thereof.

SECTION 32. Mandatory Display of Seal of Registration. The Seal of

Registration must be displayed at the main entrance of the place of
business, office or at the most conspicuous place to ensure visibility
to all data subjects.

A PIC or PIP is also required to display the Seal of Registration in its

main website, or at least the webpage specifically pertaining to the
Philippines for global websites, and only as either:

(1) a clickable link leading to the privacy notice; or

(2) displayed directly on the privacy notice page.

SECTION 33. Use of Seal of Registration. The Seal of Registration

shall be exclusively used by the registered PIC or PIP.

998 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 19 of 21

The use of the Seal of Registration by any person other than the PIC
or PIP for whatever purpose is prohibited.

SECTION 34. Automatic Revocation or Withdrawal. In all instances

wherein the Certificate of Registration has been revoked, or the
registration of the PIC or PIP has been validly withdrawn, the Seal of
Registration shall automatically be revoked or otherwise invalidated.

SANCTIONS AND PENALTIES

SECTION 35. Revocation of Certificate of Registration. The

Commission may revoke the registration of a PIC or PIP on any of
the following grounds:

A. failure to comply with any of the provisions of the DPA, its IRR, or
any relevant issuances of the Commission;

B. motu proprio revocation upon failure to comply with any order,

condition, or restriction imposed by the Commission;

C. loss of authority to operate or conduct business, due to the

revocation of its license, permit, franchise, or any other similar
requirement provided by law;

D. cessation of operations or of personal data processing;

E. lack of capacity or inability to securely process personal data in

accordance with the DPA as determined by the Commission thru its
compliance check function;

F. issuance by the Commission of a temporary or permanent ban on

data processing against the PIC or PIP: Provided, that in the case of
a temporary ban, such prohibition is still in effect at the time of filing
of the application for renewal of registration;

G. motu proprio revocation for providing false information in

the registration or misrepresenting material information in the
registration.

Provided, that, prior to revocation, the Commission shall give the PIC
or PIP an opportunity to explain why its Certificate of Registration
should not be revoked.

NPC CIRCULAR NO. 2022-04 999

NPC No. 2022-03
Registration of Personal Data
Circulars
Page 20 of 21

In cases of motu proprio revocation in Sections B or G, it shall be

operative upon the administrative finding of liability for the infraction.
SECTION 36. Notice of Revocation. Where the registration of a PIC
or PIP is revoked, the Commission shall issue a Notice of Revocation
of Registration, which shall be served upon the PIC or PIP.

SECTION 37. Penalties and Fines. A PIC or PIP whose Certificate

of Registration has been revoked or that is determined to have
violated the registration requirements provided in this Circular may,
upon notice and hearing, be subject to compliance and enforcement
orders, cease and desist orders, temporary or permanent bans on
the processing of personal data, or payment of administrative fines.
For this purpose, the registration requirements shall pertain to the
provisions on mandatory registration, amendments and updates,
and renewal of registration.

SECTION 38. Cease and Desist Order. When the Commission, upon
notice and hearing, has determined that a PIC or PIP violated this
Circular, such as the failure to disclose its automated decision-making
or profiling operation through the appropriate notification processes
set out in this Circular and noncompliance on the mandatory display
of the seal of registration, the Commission may cause upon the PIC
or PIP the service of a Cease and Desist Order on the processing
of personal data: Provided, that this is without prejudice to other
processes or reliefs as the Commission may be authorized to initiate
pursuant to Section 7 of the DPA and any other administrative, civil,
or criminal penalties that the PIC or PIP may incur under the DPA
and other applicable laws.

MISCELLANEOUS PROVISIONS

SECTION 39. Transitory Period. Notwithstanding the period in the

first paragraph of Section 7 of this Circular; all covered PICs, and PIPs
shall complete their Data Processing System and DPO registration
within one hundred eighty (180) days from the effectivity of this
Circular.

SECTION 40. Repealing Clause. This Circular supersedes in its

entirety NPC Circular No. 17-01. The provisions of the IRR and all
other issuances contrary to or inconsistent with the provisions of

1000 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC No. 2022-03
Registration of Personal Data
Circulars
Page 21 of 21

this Circular are deemed repealed or modified accordingly.

SECTION 41. Separability Clause. If any portion or provision of this
Circular is declared null and void, or unconstitutional, the other
provisions not affected thereby shall continue to be in force and
effect.

SECTION 42. Publication and Effectivity. This Circular shall take

effect fifteen (15) days after its publication in the Official Gazette or
two newspapers of general circulation and the submission of a copy
hereof to the Office of the National Administrative Register of the
University of the Philippines.

Approved:

Sgd.
JOHN HENRY D. NAGA
Privacy Commissioner

Sgd.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

NPC CIRCULAR NO. 2022-04 1001

NPC FAQS
Guidelines on Administrative Fines
Circulars
Page 1 of 9

FREQUENTLY ASKED QUESTIONS ON THE GUIDELINES ON

ADMINISTRATIVE FINES

NPC FAQS
CIRCULARS
Section 1- Scope

1. The Guidelines cover all Personal Information Controllers (PICs)

and Personal Information Processors (PIPs) as defined by the
Data Privacy Act of 2012 (DPA). Does this cover even PICs and
PIPs established outside of the Philippines?

Yes, the Circular covers PICs and PIPs established outside of

the Philippines. Section 1 of the Circular provides that it covers
all PICs and PIPs as defined in the DPA, whether from the public
or private sector. This also covers PICs and PIPs outside of the
Philippines if they fall under the requisites found under Section 4
or Section 6 of the DPA. In such instances, the gross income of
the foreign PIC or PIP within the Philippines that committed the
infraction will be considered to determine the imposable fine.

2. Will this apply to companies not registered with the National

Privacy Commission (NPC)?

Yes, the Circular applies to entities not registered with the

NPC, provided that those entities are covered by the DPA.

Section 2- Administrative Fines

3. Why are percentage fines used by the Commission instead of a

fixed amount of fine?

The Commission, in working together with the University

of the Philippines Law Center, has determined that using
percentage fines, as opposed to standard amounts, is the most
effective mechanism to impose administrative fines. This allows
the Commission to set effective, proportionate, and dissuasive
fines regardless of the size of a violating entity.

In utilizing a percentage range, optimal deterrence will be

achieved since it provides ex ante incentives for the PIC or PIP
to adopt optimal or reasonable levels of data protection. To
deter violations, a fine should be equal or larger than the cost of
precaution at the optimal level. Thus, the percentage of fines in
the Circular is intended to be equal to or larger than the possible
cost of privacy security that the PICs or PIPs will put in place.

1002 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC FAQS
Guidelines on Administrative Fines
Circulars
Page 2 of 9

Furthermore, the Economic Study, which was prepared by

the University of the Philippines Law Center with the help of their
economic consultant, has determined that the use of percentage
fines allows for the protection of the fundamental human right of
privacy of communication while ensuring free flow of information.
This mutually beneficial exchange of information leads to the
promotion of innovation and growth.

4. Section 2 of the Circular provides that the PIP can be held

equally liable as the PIC for administrative fines. Under the
Principle of Accountability in the DPA, however, the PIC is liable
for any violations even those performed by its subcontractors.
Thus, following Section 21 of the DPA, shouldn’t the PIC be
solely responsible and liable for the administrative infractions
committed by the PIP under its control, subject only to
contractual agreements between them on indemnity?

No, the PIC will not be solely impleaded for purposes of

administrative fines. The wording of the Circular includes both the
PIC and PIP because in complaints initiated by the data subjects,
the complainant may not be aware whether the entity is a PIC or
PIP since he or she is not privy to these matters.

Nevertheless, the Principle of Accountability and the

contractual arrangements between the PIC and PIP regarding
liabilities may be invoked by the parties in their respective
submitted pleadings for the evaluation of the Commission.

5. In determining the total imposable fine, how will the Five Million
Peso (Php 5,000,000.00) cap in Section 2 be implemented?
Does it mean that the PIC or PIP’s maximum penalty for a single
action will be Php 5,000,000.00 regardless of the applicable
percentages under Section 2 of the Circular?

As written, Section 2 of the Circular states that “In any case,

the total imposable fine for a single act of a PIC or PIP, whether
resulting in single or multiple infractions, shall not exceed Five
Million Pesos (Php 5,000,000.00).”

The term “single act” refers to an act of processing. A

single act may give rise to several violations. Nevertheless, in
determining what constitutes a “single act”, the number of the
affected data subjects whose rights are violated, or the amount
of personal information processed are not considered since the
term pertains to a “per processing” activity.

NPC CIRCULAR FAQ 1003

NPC FAQS
Guidelines on Administrative Fines
Circulars
Page 3 of 9

At any given time, however, the maximum imposable penalty

for a single act is Php 5,000,000.00, regardless of the applicable
percentage range under Section 2 of the Circular.

This cap of Php 5,000,000.00 will be subject to periodic

review by the Commission to determine if there is a need to
revise the amount in the future.

6. How will the type of infraction be determined? Is it by counting

the number of provisions under Section 11 or Section 16 of the
DPA that were violated by PIC or PIP’s single action?

Yes, the type of infraction will be determined by taking into

consideration the number of (1) general data privacy principles
and (2) data subject rights violated. However, the number of
principles and rights violated will not be compounded with the
number of data subjects affected. Thus, to be considered a
Major Infraction, the total affected data subjects is one thousand
or below (1-1,000), while for Grave Infractions, the number of
affected data subjects exceeds one thousand (1,001 or more).

7. Under Other Infractions, it states that “any natural or juridical

person processing personal data that fails to comply with any
Order, Resolution or Decision of the Commission, or of any of
its duly authorized officers, pursuant to Section 7 of the DPA
and its corresponding implementing issuances shall be subject
to an administrative fine not exceeding Fifty Thousand Pesos
(Php 50,000.00)”. How will this be determined and computed?

Section 2 of the Circular, under Other Infractions (b) provides

“the fine to be imposed as a result of this infraction shall be in
addition to the fine imposed for the original infraction subject of
the Order, Resolution or Decision of the Commission”.

For instance, if a PIC or PIP fails to comply with the Order,

Resolution or Decision imposing fine a for a Grave Infraction
amounting to Php 1,000,000.00, it shall be liable for Other
Infraction and subject to a Php 50,000.00 fine. Thus, the total
amount payable will be Php 1,050,000.00 which represents the
Grave Infraction and Other Infraction committed.

Another instance is when a PIC or PIP fails to abide by an

Order to furnish documents issued by authorized officers of the

1004 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC FAQS
Guidelines on Administrative Fines
Circulars
Page 4 of 9

Commission, the PIC or PIP is still required to comply with the

Order. Thus, it should submit the documents and pay the fine in
an amount not exceeding Php 50,000.00.

The amount of the fine to be imposed, not exceeding Php 50,000.00,

shall be determined by the Commission, taking into consideration
Section 3 of the Circular on factors affecting fines.

8. Will a company be fined for acts of employees when the

company has shown proof that it has implemented appropriate
measures?

Yes, a company will be fined for the acts of its employees

following the Accountability Principle. Pursuant to this, the
Circular specifically covers only PICs or PIPs. Nevertheless, the
company is not precluded from impleading or going after the
concerned employee in a separate action or proceeding wherein
it may show proof that it has implemented appropriate measures.

9. The Grave and Major Infractions penalizing the violation of

Section 11 or Section 16 of the DPA are too broad and subject
to different interpretations. Will the Commission issue further
guidelines on these violations?

No, the Commission has issuances on the interpretation of

these general privacy principles under Section 11 and data subject
rights under Section 16 of the DPA, which will guide the PICs
and PIPs in determining whether an infraction may have been
committed. All parties will be given the opportunity to be heard,
and due process will be observed in accordance with the NPC
Rules of Procedure.

10. Would there be guidelines released per sector just to have a

view of what are reasonable and appropriate for the Commission?

No, there will be no guidelines released per sector. The DPA,

IRR and NPC issuances are deemed sufficient to inform the public
of the appropriate and reasonable security measures expected
of all PICs and PIPs.

The Commission shall evaluate PICs and PIPs based on the

pleadings and evidence submitted to it. Thus, the compliance
of the PICs and PIPs on appropriate and reasonable security
measures shall be decided on a case-to-case basis.

NPC CIRCULAR FAQ 1005

NPC FAQS
Guidelines on Administrative Fines
Circulars
Page 5 of 9

11. Will the Commission consider a reasonable graduation per

year in the imposition of maximum penalty to allow companies
to adopt, make changes, and put in measures and processes
to avoid a violation of the DPA and its implementing rules
and regulations? This is still a relatively new law and not all
companies have the expertise and/or system to fully comply
with the applicable provisions.

No, the DPA was enacted in 2012 and the Commission was
constituted in 2016. Since then, the Commission has been actively
promoting, educating, and assisting the stakeholders, such as the
PICs and PIPs. Hence, there is no need to allow additional time
for PICs and PIPs to adjust and prepare as the Commission has
given these PICs and PIPs sufficient time and support to make
the necessary changes, adjustments in processes and implement
measures to comply with the law.

Section 3- Factors Affecting Fines

12. How will the Commission define the standard for determining
the factors that affect fines? Will the Commission provide
examples or specific circumstances that may be considered as
aggravating or mitigating factors?

No, the Commission will evaluate these factors on a case-to-

case basis. The aggravating or mitigating factors will be decided
on each case individually, according to the facts and circumstances
presented before the Commission. Nevertheless, the Circular
provides for a list of factors affecting fines to be imposed by the
Commission. All circumstances that the PIC or PIP thinks should
be considered for evaluation should be included in the pleadings
submitted to the Commission.

13. Does the term “annual gross income” pertain to domestic

income of the immediately preceding year of the infraction?

Yes, for natural and juridical entities established in foreign

jurisdictions that committed the infraction, the annual gross
income only applies to the domestic income of the immediately
preceding year of the infraction or only the income derived from
sources within the Philippines.

1006 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC FAQS
Guidelines on Administrative Fines
Circulars
Page 6 of 9

On the other hand, for natural and juridical entities established

in the Philippines, the “gross annual income” includes the income
derived from all sources within and without the Philippines, in
adherence to the definition of “gross annual income” under the
Philippine laws on Taxation.

Section 4 – Due Process

14. Will the 2021 Rules of Procedure of the NPC apply?

Yes, as stated in Section 4 of the Circular, the Rules of Procedure

of the NPC will apply. The applicable Rules of Procedure shall
depend on whichever set of Rules of Procedure is in effect at the
time the infraction is committed.

Section 5- Appeal

15. Will an appeal stay the execution and imposition of

administrative fines?

No, an appeal will not stay the execution and imposition of

administrative fines. Section 5 of the Circular provides that a
Decision or Resolution of the Commission shall be immediately
executory.

In any or all actions assailing the Decision or Resolution of

the Commission pertaining to the imposition or execution of an
administrative fine, the PIC or PIP may post a cash or surety bond
equivalent to the total amount of fine imposed, exclusive of the
damages, attorney’s fees, and other monetary awards, which
shall result in the staying of the execution as provided in Section
6 of the Circular.

16. How will the PICs or PIPs pay for the fine imposed by the
Commission?

The PICs or PIPs shall pay the fine imposed, in cash or

manager’s check, through the Finance and Administrative Office
(FAO) of the Commission.

NPC CIRCULAR FAQ 1007

NPC FAQS
Guidelines on Administrative Fines
Circulars
Page 7 of 9

Section 6- Posting of Bond on Imposed Administrative Fines

17. What will be the effect of the failure to post the cash or surety
bond?

The non-posting of bond shall result in the immediate

execution of the imposed administrative fine.

18. Are parties allowed to file a Motion to Reduce bond due to valid
reasons?

No, the Commission will not entertain a Motion to Reduce

bond for whatever reason.

Section 7- Refusal to Comply

19. Section 7 of the DPA and Section 4 of NPC Circular No. 20-02
on the Rules on the Issuance of Cease-and-Desist Orders (CDO)
identify the specific parameters within which to issue a CDO.
Refusal to pay is not a ground for the issuance of a CDO. How
can the foregoing provision be reconciled with Section 7 of the
Circular on Administrative Fines?

As worded, Section 7 of the Circular used the word “may”

which highlights the Commission’s discretion to issue a CDO
depending on the circumstances of each case. The Commission’s
power to issue a CDO is rooted in the DPA. Following this, NPC
Circular No. 20-02 provides for an initial list of the grounds for
the issuance of a CDO. The Commission, through this Circular,
provides an additional ground for the issuance of a CDO.

Section 10- Applicability Clause

20. Section 10 states that: “These rules apply to covered PICs and
PIPs for the above infractions prospectively.” Does this mean
that the Circular would not apply to pending cases?

Yes, the Circular does not apply to pending cases because it

applies prospectively. Infractions committed before the issuance
of the Circular shall not be covered by its provisions. Continuing
infractions or those committed prior to the issuance of the Circular
that exists even after its effectivity, however, are covered.

1008 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC FAQS
Guidelines on Administrative Fines
Circulars
Page 8 of 9

Administrative fines imposed on a PIC or PIP may arise not

only from complaints filed against a PIC or PIP but also from a PIC
or PIP’s failure to comply with Commission orders, directives, or
issuances.

Other Matters

21. Is the Commission authorized to impose administrative fines

under the DPA?

Yes, the Commission is authorized to impose administrative

fines. Section 7 of the DPA mandates the Commission to: (1) to
ensure compliance of the PICs and PIPs with the DPA; (2) compel
or petition any entity, government agency or instrumentality
to abide by its orders or take action on a matter affecting data
privacy; and (3) monitor compliance and recommend necessary
action to meet minimum standards for protection of personal
information.

First, taken together with the authority of the Commission to

receive complaints, institute investigations, adjudicate, and award
indemnity on matters affecting any personal information, these
powers establish the Commission as a quasi-judicial authority
with all the necessary and implied powers that come with it, such
as the power to impose administrative fines.

Second, the authority of the Commission to impose

administrative fines is explicitly provided under Section 9(f)(6) of
the IRR.

Third, the authority of the Commission to impose administrative

fines stems from long-standing doctrines in administrative law.
Under the “doctrine of necessary implication,” what is implied in
a statute is as much as part thereof as that which is expressed.
Every statutory grant of power, right or privilege is deemed to
include all incidental powers, rights, or privileges. This includes all
such collateral and subsidiary consequences as may be fairly and
logically inferred from its terms.

Considering that the Commission exercises quasi-judicial

functions as mandated by law, and that such function is integral
to the overall authority to administer and implement the DPA, the
Commission has the power to impose administrative fines.

NPC CIRCULAR FAQ 1009

NPC FAQS
Guidelines on Administrative Fines
Circulars
Page 9 of 9

22. Do the administrative fines supersede the penalties enumerated

under Sections 25 to 33 of the DPA?

No, the administrative fines do not supersede the penalties

enumerated under the DPA. On one hand, the penalties under
Sections 25 to 33 of the DPA are criminal in nature, punishable
by imprisonment or a fine, imposed by judicial courts, and only
applicable to natural persons. The Commission may recommend
prosecution to the Department of Justice but may not impose
the criminal penalties itself.

On the other hand, the penalties found under the Circular

are administrative in nature, not punishable by imprisonment,
imposed by the Commission after due notice and hearing, and
imposed on PICs or PIPs whether they are juridical or natural
persons.

1010 THE 2022 COMPENDIUM OF NPC ISSUANCES

 NPC JAO No. 22-01
CIRCULARS
JOINT ADMINISTRATIVE ORDER NO. 22-01
Series of 2022

Subject: GUIDELINES FOR ONLINE BUSINESSES REITERATING

THE LAWS AND REGULATIONS APPLICABLE TO
ONLINE BUSINESSES AND CONSUMERS

WHEREAS, the COVID-19 pandemic has disrupted traditional

business models and rearranged economic structures forcing the
accelerated growth of e-commerce, along with the drastic rise in
consumer complaints and fraudulent online transactions;

WHEREAS, the DTI launched the e-commerce Philippines 2022

Roadmap which aims to pursue an e-Commerce policy agenda to
drive its objective of gaining the trust and confidence of the Filipinos
in e-commerce to increase e-commerce transactions, and to help
create a safer environment for online consumers and merchants
facilitated by a strong digital consumer and merchant protection
framework;

WHEREAS, Section 29 of Republic Act No. 8792, or the “Electronic

Commerce Act”, authorizes the DTI to supervise the promotion and
development of electronic commerce in the country together with
relevant government agencies. Further, it shall promulgate rules and
regulations, as well as provide quality standards or issue certifications,
as the case may be, and perform such other functions as may be
necessary for the implementation of Electronic Commerce Act;

WHEREAS, there is a need to issue a policy directive to implement

existing and prevailing trade and industry laws to address the need
to improve the regulation of online selling activities, inform online
sellers, merchants, or e-retailers about the equal treatment of the law
of online and offline businesses, and ensure that they are reminded
of the general laws and regulations that may apply to their on line
business;

WHEREAS, pursuant Executive Order No. 292, or the Administrative

Code of 1987:

NPC CIRCULAR NO. 22-01 1011

1. The Department of Trade and Industry (DTI) shall formulate and
implement policies, plans, and programs relative to the regulation
of trade, industry, and investments, and protect consumers from
trade malpractices and from substandard or hazardous products;

2. The Department of Agriculture (DA) shall promulgate and enforce

all laws, rules and regulations governing the conservation and
proper utilization of agricultural and fishery resources, and be
responsible for the planning, formulation, execution, regulation,
and monitoring of programs and activities relating to agriculture,
food production and supply;

3. The Department of Health (DOH) shall be primarily responsible

for the formulation, planning, implementation. and coordination
of policies and programs in the field of health. Its primary function
is the promotion, protection, preservation or restoration of
the health of the people through the provision and delivery of
health services and through the regulation and encouragement
of providers of health goods and services. The DOH shall issue
orders and regulations concerning the implementation of
established health policies;

4. The Department of Environment and Natural Resources (DENR)

formulate, implement and supervise the implementation of the
government’s policies, plans, and programs pertaining to the
management, conservation, development, use and replenishment
of the country’s natural resources. It shall promulgate rules and
regulations in accordance with law governing the exploration,
development, conservation, extraction, disposition, use and such
other commercial activities tending to cause the depletion and
degradation of our natural resources;

WHEREAS, Executive Order No. 913, dated 07 October 1983, vests in

the DTI the power to promulgate rules and regulations to implement
the provision and intent of “trade and industry laws.” Even prior
to the commencement of a formal investigation on a violation of
any trade an industry law, the DTI Secretary has the power to issue
orders on seizures, padlocking, withholding, holding of any craft or
vessel, prevention of departure, and such other preventive measures
and other similar orders;

WHEREAS, Section 125 of Executive Order No. 94, dated 04 October

1947, vests in the DOH the protection of the health of the people, the
maintenance of sanitary conditions, and the proper enforcement of

1012 THE 2022 COMPENDIUM OF NPC ISSUANCES

the laws and regulations relative to health, sanitation, food, drugs
and narcotics, slum housing, garbage and other waste disposal;

WHEREAS, the Food and Drug Administration (FDA), pursuant to

Section 5 (e), and (o) of Republic Act No. 9711 or the “Food and
Drug Administration Act of 2009”, as an office under the DOH,
has the power: (1) to issue certificates of compliance with technical
requirements to serve as basis for the issuance of appropriate
authorization and spot-check for compliance with regulations
regarding operation of manufacturers, importers, exporters,
distributors, wholesalers, drug outlets, and other establishments
and facilities of health products, as determined by the FDA; (2) to
conduct, supervise, monitor and audit research studies on health
and safety issues of health products undertaken by entities duly
approved by the FDA; and (3) to prescribe standards, guidelines,
and regulations with respect to information, advertisements and
other marketing instruments and promotion, sponsorship, and other
marketing activities about the health products as covered in the said
Act;

WHEREAS, pursuant to Article 6 of Republic Act No. 7394, or

the Consumer Act of the Philippines, the DTI established the
CONSUMERNET, on 12 November 1996, in order to facilitate the
flow of consumer protection information and to provide a speedy
resolution of consumer complaints;

WHEREAS, Republic Act No. 8293, or the “Intellectual Property Code

of the Philippines”, mandates the Intellectual Property Office of the
Philippines (IPOPHL) to coordinate with other government agencies
and the private sector efforts to formulate and implement plans
and policies to strengthen the protection of intellectual property
rights in the country and. administratively adjudicate contested
proceedings affecting intellectual property rights. The IPOPHL
protects and secures the exclusive rights of scientists, inventors,
artists and other gifted citizens to their intellectual property and
creations. The Intellectual Property Code of the Philippines grants
similar protection to nationals of treaty partners of the Philippines,
especially in the area of repression of unfair competition. The Bureau
of Legal Affairs of the IPOPHL is authorized to order provisional
remedies in accordance with the Rules of Court, such as Preliminary
Attachment, Preliminary Injunction, Temporary Restraining Order,
and Replevin;

NPC CIRCULAR NO. 22-01 1013

WHEREAS, Republic Act No. 10173, or the “Data Privacy Act of 2012”,
authorizes the National Privacy Commission (NPC) to coordinate
with other government agencies and the private sector on efforts
to formulate and implement plans and policies to strengthen the
protection of personal information in the country;

WHEREAS, on 09 March 2020, the Philippines, through the

NPC, became an official participant in the Asia-Pacific Economic
Cooperation Cross-Border Privacy Rules (CBPR) system, committing
itself to protect personal data through enforceable standards,
accountability, risk-based protections, consumer-friendly complaints
handling, consumer empowerment, consistent protection, and cross-
border enforcement cooperation;

NOW, THEREFORE, pursuant to the above-mentioned, and subject

to the limitations of their mandates conferred by law, the DTI,
DA, DENR, DOH, IPOPHL, NPC, hereby promulgate the following
guidelines through this Joint Administrative Order (JAO).

I. PRELIMINARY PROVISIONS

SEC. 1. OBJECTIVE.

This JAO aims to increase consumer confidence in business-to-

consumer (B2C) and business-to-business (B2B) e-commerce
transactions. It seeks to ensure that e­ Commerce platforms,
electronic retailers (e-retailers), and online merchants are properly
guided about the rules, regulations, and responsibilities in the
conduct of their online business, considering the need to protect
consumers against deceptive, unfair, and unconscionable sales acts
and practices. Moreover, the purpose of this JAO is to ensure that
online consumers are informed of their rights and the mechanisms
for redress.

SEC. 2. SCOPE AND COVERAGE.

This JAO effectively reiterates existing policies, procedures and

guidelines that should apply to online businesses. This JAO likewise
integrates the procedures and remedies that online consumers are
entitled to.

This JAO shall cover all online businesses, whether natural or juridical,

1014 THE 2022 COMPENDIUM OF NPC ISSUANCES

formal or informal, that are engaged in electronic transactions,
including, but not limited to the sale, procurement, or availment
of goods, digital content/products, digital financial services,
entertainment services, online travel services, transport and delivery
services, and education services. Further, online businesses shall
include but shall not be limited to e-commerce platforms, online
sellers, merchants, e-marketplaces, and a-retailers as defined in
Section 4 of this JAO.

SEC. 3. APPLICABILITY OF LAWS AND REGULATIONS.

The laws applicable to physical or offline businesses are, as far as

practicable, equally applicable to online businesses. Violations of
relevant and pertinent laws governing commerce, including but not
limited to the Consumer Act of the Philippines, Electronic Commerce
Act, and Data Privacy Act of 2012 shall be penalized with the same
penalties as provided in the applicable laws.

Unless expressly specified, nothing in this JAO shall be construed as

to diminish or deprive the regulatory jurisdiction conferred by law
upon other government agencies, including Local Government Units
(LGUs).

SEC. 4. DEFINITION OF TERMS.

As used in this JAO, the following terms are defined to mean:

4.1 Business to Business (B2B) transaction - refers to internet

transactions conducted over marketplaces that facilitate
business to business electronic sales of new and used
merchandise using the internet.

4.2 Business to Consumer (B2C) transaction - refers to the act or

process of selling or providing goods or services by businesses
to consumers, whether for a profit or not;

4.3 Consumer - refers to a person who is a purchaser, lessee,

recipient, or prospective purchaser, lessor or recipient of
consumer products, services, advertising or promotion, credit,
technology, and other items in e-commerce;

4.4 Derivatives - refer to a substance or material extracted or

taken from wildlife such as but not limited to blood, saliva, oils,

NPC CIRCULAR NO. 22-01 1015

 resins, genes, gums, honey, cocoon, fur, tannin, urine, serum,
spores, pollen and the like; a compound directly or indirectly
produced from wildlife and/or products produced from wildlife
and wildlife products.

4.5 Digital financial services - refer to services of a financial

nature that are made available to the public through the
internet, including banking services, insurance and insurance-
related services, payment and money transmission services,
remittance services, lending services, investment services, and
other similar or related services;
.
4.6 Digital content or product - refers to data which is produced
and supplied in electronic form;

4.7 Education service - refers to services designed to promote,

impart, share, source, or review knowledge, and to those
intended to assist, facilitate, or improve learning, through an
online platform, application, website, webpage, social media
account, or other similar platform operated by the provider
for profit, regardless of whether the provider is authorized
to engage in e­Commerce in the Philippines. Moreover, it is
commonly referrino to four categories: Primary Education
Services; Secondary Education Services; Higher (Tertiary)
Education Services; and Adult Education;

4.8 Electronic commerce or e-commerce - refers to the production,

distribution, marketing, sale, or delivery of goods and services
by electronic means;

4.9 Electronic data message - refers to information generated,

sent, received or stored by electronic, optical or similar means;

4.10 Electronic transaction - refers to the sale or purchase of

goods or services, whether between businesses, households,
individuals, governments, and other public or private
organizations, conducted over computer-mediated networks.
The goods and services are ordered over those networks, but
the payment and the ultimate delivery of the goods or services
may be conducted online or off­line.

4.11 E-Commerce platform - refers to a natural or juridical person

1016 THE 2022 COMPENDIUM OF NPC ISSUANCES

 that solicits or facilitates the purchase, procurement, or use of
goods and services, with the presence and use of monetary
transactions, including using, developing, creating, or
promoting digital content through digital platforms, websites,
and marketplaces, with functions which connects and
encourages consumers, online merchants, sellers, and retailers
to enter into commercial transactions.

4.12 E-marketplace - refers to an online intermediary that allows

participating merchants to exchange information about
products or services to enter into an electronic commerce
transaction, which may or may not provide information/
services about payments and logistics;

4.13 E-retailer - refers to an organization selling products or services

directly to customers online.

4.14 Goods - refer to physically or digitally produced items over

which ownership rights may be established, and whose
economic ownership may be passed from one to another by
engaging in transactions; For purposes of this JAO, goods
shall include, but not be limited to live animals and seeds.

4.15 Online business - refers to any commercial activity over the

internet, whether buying or selling goods and/or services
directly to consumers or through a platform, or any business
that facilitates commercial transactions over the internet
between businesses and consumers. Online businesses shall
include e- Commerce platforms, a-marketplace, online sellers/
merchants and e­retailers (e- tailers) as defined in this section.

4.16 Online travel services - refer to services that facilitate

the reservation, purchase or discounting of flights, hotel
accommodations, and vacation rental spaces, through an
online platform, application, website, webpage, social media
account, or other similar platform operated by the provider,
regardless of whether the provider is authorized to engage in
e-commerce in the Philippines.

4.17 Online seller or merchant - refers to an organization or

retailer selling products or services to customers through an
e-marketplace.

NPC CIRCULAR NO. 22-01 1017

4.18 Transport and Delivery Service - refers to the delivery of
food, goods or other merchandise, or of personal transport
services and other courier services, contracted through an
online platform, application, website, webpage, social media
account, or other similar platform operated by the provider,
regardless of whether the provider is authorized to engage in
e-commerce in the Philippines.

4.19 Wildlife - refers to wild forms and varieties of flora and fauna, in
all developmental stages, including those which are in captivity
or are being bred or propagated.

4.20 Wildlife by-product - refers to any part taken from wildlife

species such as meat, hides, antlers, feathers, leather, fur,
internal organs, bones, roots, trunks, barks, petioles, leaf fibers,
branches, leaves, stems, flowers, scales, scutes, shells, coral
parts, carapace and the like, or whole dead body of wildlife
in its preserved/stuffed state, including compounds indirectly
produced in a biochemical process or cycle.

II. RESPONSIBILITIES OF ONLINE BUSINESSES AND PROTECTION

OF CONSUMERS

SEC. 5. RESPONSIBILITIES OF ONLINE BUSINESSES.

To build trust in e-commerce and to protect and uphold the interest

of consumers at all times, online businesses shall comply with all
Philippine laws, rules and regulations, bearing in mind the following
principles of the ASEAN Online Business Code of Conduct:

5.1 Fair Treatment of Consumers. Online businesses shall refrain

from illegal, fraudulent, unethical, or unfair business practices
that may harm consumers. 5.2 Upholding Responsibilities.
Online businesses shall value consumer rights to the same
extent as traditional brick-and-mortar businesses.

5.2 Upholding Responsibilities. Online businesses shall value

consumer rights to the same extent as traditional brick-and-
mortar businesses.

1018 THE 2022 COMPENDIUM OF NPC ISSUANCES

5.3 Compliance with Laws and Regulations. Online businesses
shall observe and comply with the policies, laws and regulations
in the countries where their goods and services are marketed.

5.4 Conformance to Local Standards. Online businesses shall apply

the necessary standards and provide accurate information in
the local language of the countries where their goods and
services are marketed.

5.5 Ensured Quality and Safety. Online businesses shall ensure

shared responsibility along the entire supply chain. They shall
not compromise product, health, and food safety, not offer
products which have been recalled, banned or prohibited, and
shall ensure that their services are of highest quality.

5.6 Honest and Truthful Communication. Online businesses shall

provide easily accessible, complete, and correct information
about their goods and services, and adhere to fair advertising
and marketing practices.

5.7 Price Transparency. Online businesses shall ensure

transparency and openness regarding their prices, including
any additional costs, such as customs duties, currency
conversion, shipping, delivery, taxes, service/processing fees,
and convenience fees.

5.8 Proper Recordkeeping. Online businesses shall keep proper

records of purchase, provide complete records of the goods
purchased, and have them delivered in the promised time and
described condition.

5.9 Review and Cancellation Options. Online businesses shall

offer options to allow consumers to review their transactions
prior to final purchase, and of cancellation and allow consumers
to review their transaction before making the final purchase,
and to withdraw from a confirmed transaction in appropriate
circumstances. Fraudulent acts both by on line businesses
and consumers shall be dealt with in accordance with existing
penal/special laws.

5.10 Responsive Consumer Complaint and Redress System.

Online businesses shall take consumer complaints seriously,
establish a fair and transparent system to address complaints,

NPC CIRCULAR NO. 22-01 1019

 and provide appropriate compensation, such as refund, repair,
and/or replacement.

5.11 Consumer Information Security. Online businesses shall secure

the personal information of consumers, actively protect their
privacy, be transparent about processing personal data, and if
appropriate under the circumstances, ask for permission prior
to any personal data processing activity.

5.12 Online Payment Security. Online businesses shall ensure that

online payments used are safe and secure. They shall safeguard
sensitive data by choosing digital payment platforms with
the appropriate secure technology and protocols, such as
encryption or SSL, and display trust certificates to prove it.

5.13 Desistance from Online Spamming. Online businesses shall

avoid online spamming. They shall allow consumers to choose
whether they wish to receive commercial messages by e-mail
or other electronic means, and provide adequate mechanisms
for them to opt-out from the same.

5.14 Non-proliferation of Fake Online Reviews. Online businesses

shall not restrict the ability of consumers to make critical or
negative reviews of goods or services, or spread wrong
information about competitors.

5.15 Consumer Education on Online Risks. Online businesses

shall educate consumers about (online) risks. They shall help
consumers in understanding the risks of online transactions,
and provide competent guidance if needed.

SEC. 6. PROTECTION OF ONLINE CONSUMERS AGAINST HAZARDS

TO HEAL TH AND SAFETY.

Online businesses are reminded of the following laws, among others,

in order to protect the public against hazards to health and safety:

1. RA. No. 4109 otherwise known as the “Standards Law” shall

also apply to all online businesses. This includes compliance to
all Department Administrative Orders issued by DTI particularly
the Technical Regulations issued to ensure and certify product
quality and safety.

1020 THE 2022 COMPENDIUM OF NPC ISSUANCES

2. RA. No. 9211 or the “Tobacco Regulation Act of 2003” and
E.O. No. 106 s. 2020, shall also apply to ensure that online
businesses abide with the restrictions set forth on advertising,
promotions, and access of minors, in order to further protect
the consumers against the hazards to health and safety of
tobacco, vapor products and heated tobacco products.

4. RA. No. 10611 or the “Food and Safety Act of 2013”, P.O. No.
1619 s. 1979, and FDA Circular No. 2019-006, shall also apply
to ensure that online businesses abide with the restrictions set
forth on advertising and promotions and access of minors, in
order to further protect the consumers against the hazards to
health and safety of alcoholic beverages.

6. DA regulations such as, but not limited to, proper handling and
stewardship shall also apply to the offer and sale of agricultural
products online, such as fertilizers, and pesticides, whether
conventional, biotech-traited or those with plant incorporated
protectants.

8. All online businesses must comply with DTI Memorandum

Circular No. 21-05, series of 2021 which enumerates the eighty-
seven (87) products and systems covered under the BPS
Mandatory Product Certification Schemes, and classified into
three (3) product groups - Electrical and Electronic Products,
Mechanical/Building and Construction Materials, and Chemical
and Other Consumer Products and Systems. The latest list of
products is attached as Annex A. Such list may be updated or
revised by the BPS in accordance with its mandate.

10. Requirement for products covered under the DTI-BPS

Mandatory Certification Schemes.

6.6.1 Online platforms, including its sellers, merchants, or

a-retailers engaged in the sale of products covered
under the DTI Bureau of Philippine Standards (DTI-
BPS) Mandatory Product Certification Schemes shall
ensure that such products sold in online platforms bear
a valid Philippine Standard (PS) Quality and/or Safety
Certification Mark, Import Commodity Clearance (ICC)
sticker, or any certification mark approved and issued by
the DTI-BPS.

NPC CIRCULAR NO. 22-01 1021

 6.6.2 Manufacturers and importers of the products covered
under the BPS Mandatory Certification Schemes shall
secure the PS Mark or ICC stickers from the BPS. Only
the manufacturer or importer to whom the PS License
or ICC certificate is granted shall be allowed to affix the
PS Mark or ICC sticker, respectively, on their products
consistent with the requirements of the DTI Department
Administrative Order (DAO) No. 4, Series of 2008, DAO
No. 5, Series of 2008, their respective Implementing
Rules and Regulations and other applicable DTI technical
regulations related to the BPS Mandatory Product
Certification Schemes. The matrix of requirements and
procedure to apply for a PS Mark License, ICC certificate
and stickers, is attached as Annex B.

SEC. 7. PROTECTION OF ONLINE CONSUMERS AGAINST

DECEPTIVE, UNFAIR AND UNCONSCIONABLE SALES AND
PRACTICES.

Online businesses are reminded of the following laws, among

others, in order to protect the public against deceptive, unfair and
unconscionable sales acts and practices:

7.1 Prohibition Against Deceptive Online Sales Acts or Practices

- Online businesses are covered by Article 50 of RA. No.
7394 and Sections 155. 1, 155.2, and 165.2(b) of RA. No. 8293
or otherwise known as the “Intellectual Property Code of the
Philippines”, which declare deceptive acts or practices by a
seller or supplier in connection with a consumer transaction
as a violation. This shall occur before, during or after the
transaction, in cases where:

7.1.1. A consumer product or service has the sponsorship,

approval, performance, characteristics, ingredients,
accessories, uses, or benefits it does not have;

7.1.2. A consumer product or service is of a particular standard,

quality, grade, style, shape, size, color, or model when in
fact it is not;

7.1.3 A consumer product is new, original or unused, when in

fact, it is in a deteriorated, altered, repacked, unlabeled,

1022 THE 2022 COMPENDIUM OF NPC ISSUANCES

 mislabeled, unknown, reconditioned, reclaimed or
second-hand state;

7.1.4 A consumer product or service is available to the consumer

for a reason that is different from the fact;

7.1.5 A consumer product or service has been supplied in

accordance with the previous representation when in
fact it is not;

7.1.6 A consumer product or service can be supplied in a

quantity greater than the supplier intends;

7.1.7 A service, or repair of a consumer product is needed

when in fact it is not;

7.1.8 A specific price advantage of a consumer product exists

when in fact it does not;

7.1.9 The sales act or practice involves or does not involve a

warranty, a disclaimer of warranties, particular warranty
terms or other rights, remedies or obligations if the
indication is false;

7.1.10 The seller or supplier represents that he has a sponsorship,

approval, or affiliation he does not have;

7.1.11 The seller or supplier of a product or service has used

a trademark, trade name, or other identifying mark,
imprint, or device, or any likeness thereof, without the
authorization of the owner;

7.1.12 The seller or supplier of a product is not authorized by

the trademark holder as a distributor/retailer/seller of
the product;

7.1.13 The seller or supplier uses the traditional knowledge of

indigenous people on wild food plants, medicinal plants,
and animal parts, in sales promotions or trade, without
their prior written consent or acknowledgment; and

NPC CIRCULAR NO. 22-01 1023

 7.1.14 The seller or supplier misrepresents their products
as proprietary, having regulatory approval, or legally
compliant with existing laws and regulations when in fact
they are not.

7.2 Unfair or Unconscionable Sales Act or Practice - Online

businesses are also covered by Article 52 of RA. No. 7394
and Sections 155.1, 155.2, and 165.2(b) of RA. No. 8293 when
the seller induces the consumer to enter into a sales or lease
transaction grossly inimical to the interests of the consumer
or grossly one-sided in favor of the on line seller, merchant, or
a-retailer by taking advantage of the consumer’s physical or
mental infirmity, ignorance, illiteracy, lack of time or the general
conditions of the environment or surroundings. In determining
whether an act or practice is unfair and unconscionable, the
following circumstances shall be considered:

7.2.1 That the producer, manufacturer, distributor, supplier or

seller took advantage of the inability of the consumer to
reasonably protect his interest because of his inability
to understand the language of an agreement, or similar
factors;

7.2.2 That when the electronic transaction was entered into,

the price grossly exceeded the price at which similar
products or services were readily obtainable in similar
transaction by like consumers;

7.2.3 That when the electronic transaction was entered into,

the consumer was unable to receive a substantial benefit
from the subject of the transaction;

7.2.4 That the transaction that the seller or supplier induced

the consumer to enter into was excessively one-sided in
favor of the seller or supplier; and

7.2.5 That the consumer was misled into purchasing a product

or availing of a service by reason of the unauthorized
use by the supplier or seller of a trademark, trade name,
or other identifying mark, imprint, or device, or any
likeness thereof, and which thereby falsely purports or
is represented to be the product or service of another.

1024 THE 2022 COMPENDIUM OF NPC ISSUANCES

 SEC. 8. RESPONSIBILITIES OF ONLINE BUSINESSES ON
CONSUMER PRODUCT AND SERVICE WARRANTIES,
PRICE TAG PLACEMENT, AND LABELING.

8.2 Consumer Product and Service Warranty - Online businesses

shall comply with the pertinent rules on provision of warranty
under the Civil Code and under Title Ill of R.A. No. 7394.

8.2 Labeling Requirements - Online businesses shall comply with

the following labeling requirements under R.A. No. 7394, R.A.
No. 9711, and other pertinent and relevant laws:

8.2.1 The minimum labelling requirements for consumer

products whether manufactured locally or imported
under Article 77 ;

8.2.2 Additional labeling and packaging requirements

necessary to prevent the deception of the consumer
or to facilitate value comparisons as to any consumer
product under Article 79;

8.2.3 Additional labelling requirements for food under Article

84;

8.2.4 Labeling of drugs under Article 86 and Section 6 of RA

No. 667 5, as amended by RA No. 9502 otherwise known
as the “Universally Accessible Cheaper and Quality
Medicines Act of 2008”;

8.2.5 Additional labeling requirements for cosmetics under

Article 87;

8.2.6 Breastmilk substitutes and breastmilk supplements shall

follow the guidelines set in the Milk Code, in terms of
labelling (Section 1 O of EO 51);

8.2.7 Toys shall comply with the appropriate provisions on

safety labelling and manufacturer’s markings found in
the Philippine National Standards for the safety of toys
(Section 4 of RA No. 10620 otherwise known as the “Toy
and Game Safety Labeling Act of 2013”);

NPC CIRCULAR NO. 22-01 1025

 8.2.8 Household urban hazardous substances must bear
warning labels particular to the hazards they present
(Chapter IV/Article 91 of RA No. 7 394, Section 1.n. of
Presidential Decree (PD) No. 881);

8.2.9 Vaping products and heated tobacco products must

bear Graphic Health Warnings (Sec. 1 of RA. No. 11346);

8.2.10 Labeling requirements for tobacco products under RA.

No. 9211; and

8.2.11 Labeling requirements for alcoholic beverages under

RA. No. 10611 and FDA Circular No. 2019-006.

8.3 Price Tag Placement - Pursuant to Articles 81 and 83 of RA. No.

7394, the following rules and regulations shall apply to online
businesses as regards the price of the product or service
offered online:

83.1 Product listings by a-retailers or merchants on marketplace/

platforms must contain the price(s) of the product/service
in Philippine pesos and must display payment policies,
delivery options, returns, refunds and exchange policy,
and other charges if applicable;

8.3.2 Total price must be displayed. It must be clear, updated

and accurate to avoid misleading online consumers;

8.3.3 Indicate the price in high visibility areas preferably near

the product title, or the add-to-cart button and ensure the
text used for the price is readable and accessible; and

8.3.4 The practice of providing prices through private (or

direct) messages to consumers/buyers is considered a
violation of the Price Tag Law.

SEC. 9. REGULATED, RESTRICTED, AND PROHIBITED ITEMS.

Online businesses shall exhibit the corresponding license or permit

number as regards the regulated items for sale as prescribed by
regulatory agencies. Provided that, delivery platforms shall not be
liable for transport of these items when the same cannot, on the
face of the package be determined to be in violation of this clause.
The liability of the delivery platform in this instance shall be limited
to those provided in Section 13.

1026 THE 2022 COMPENDIUM OF NPC ISSUANCES

Online businesses shall not produce, import, distribute, market, sell or
transport prohibited goods or services, which are those specifically
prohibited by law, such as, but not limited to counterfeit goods and
products, precious metals and conflict minerals, weapons, artifacts,
sexual services, seditious or treasonous materials, and other such
goods and services. Attached hereto as Annex C is a non-exhaustive
list of the regulated, restricted, and prohibited items for reference.
This list may be revised or updated by the relevant regulatory
agencies concerned.

SEC.10. DATA PRIVACY.

This JAO defines the responsibilities of online sellers, merchants, or

e-retailers under RA No. 10173, otherwise known as the Data Privacy
Act, which seeks to ensure privacy protection to ensure transparency,
legitimate purpose, and proportionality in data collection and
processing. Through the NPC, the law regulates the collection,
recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure, or destruction of
personal data.

10.1 Online sellers, merchants, or a-retailers particularly those

that sell through their own websites, or through social media
marketplaces are expected to handle all personal data of their
consumers with the utmost care and respect;

10.2 Personal information collected by the on line sellers, merchants,

or e-retailers shall be retained only for as long as necessary:

a. For the fulfillment of the declared, specified, and

legitimate purpose, or when the processing relevant to
the purpose has been terminated;

b. For the establishment, exercise or defense of legal claims;

c. For legitimate business purposes, which must be consistent

with standards followed by the applicable industry or
approved by appropriate government agency; or

d. As provided by law;

NPC CIRCULAR NO. 22-01 1027

10.3 Personal data shall be disposed of or discarded in a secure
manner that would prevent further processing, unauthorized
access, or disclosure to any other party or the public, or
prejudice the interests of the data subjects. Security measures
for the protection of personal data should be implemented;

10.4 Online sellers, merchants, or e-retailers shall publish/post in their

websites or online platforms, or any other similar platform, a
Privacy Notice which shall provide consumers with information
regarding the purpose and extent of the processing of their
personal data in relation to their transactions, including if
applicable, any data sharing, profiling, direct marketing, or the
existence of automated decision-making, as well as any other
authorized further processing;

10.5 Online merchants that operate their own online application,

or any other similar platform are prohibited from asking
unnecessary permissions from the consumers;

10.6 Prior to the collection of personal data of the consumers, the

on line sellers, merchants, or e-retailers must determine the
most appropriate lawful criteria for such processing, which in
the case of sale-related processing need not necessarily be
consent. In such a case, processing may still be lawful if based
on a contract or legitimate interest of either or both the seller
and the buyer;

10.7 All personal data supplied by consumers to online sellers,

merchants, or e­ -retailers shall be secured through the
implementation of reasonable and appropriate security
measures intended for the protection of personal data and shall
not be used for purposes not authorized by the consumers;

10.8 Upon collection and processing of the personal data, the on

line sellers shall inform the consumers of their data privacy
rights under the Data Privacy Act, namely:

a. Right to information

b. Right to object

c. Right to access

1028 THE 2022 COMPENDIUM OF NPC ISSUANCES

 d. Right to correct

e. Right to erase

f. Right to damages

g. Right to data portability

h. Right to file a complaint

10.9 Upon request by public authorities pursuant to their respective

mandates and in accordance with the provisions of the Data
Privacy Act of 2012, on line sellers, merchants, or e-retailers
may lawfully disclose personal information to said public
authorities, provided, that the request particularly describes
the personal information asked for and indicate the relevance
of such information to an ongoing investigation.

Ill. LIABILITIES OF ONLINE BUSINESSES

SEC. 11. LIABILITY FOR DEFECTIVE PRODUCT AND SERVICE.

Online businesses are covered by Title 111, ChapterVof the RA No.

7394, particularly Article 98 (in relation to Article 97) which provides
for the liability of the manufacturer, producer, importer, or seller of
defective products.

11.1 Online merchants or sellers are liable when it is not possible to

identify the manufacturer, builder, producer or importer of a
defective product;

11.2 Online merchants or sellers shall be held liable when the product
is supplied, without clear identification of the manufacturer,
producer, builder or importer; and

11.3 Online merchants or sellers shall be held liable when the

perishable goods were not adequately preserved.

SEC. 12. LIABILITY FOR THE SALE OF COUNTERFEIT AND PIRATED

GOODS.

The online sale of fake and/or pirated goods is a violation of R.A.

No. 8293 and R.A. No. 8203, otherwise known as the “Special Law
on Counterfeit Drugs.” Online businesses shall only sell original,
genuine, licensed, or unexpired goods.

NPC CIRCULAR NO. 22-01 1029

12.1 Should any person holding Intellectual Property (IP) rights,
whether or not engaged in selling of goods or services, find
that their protected works, creations, designs, trademarks,
patented inventions, or other IP are being infringed by
unauthorized sellers or merchants online, they may request
the online e- Commerce platforms being used by the infringer
to take down the infringing goods/contents. In the event that
the online e-commerce platform fails to respond to the take
down request of the Intellectual Property (IP) rights holder, the
rights holder may notify the IPOPHL for appropriate action.

12.2 E-commerce platforms have the authority to enforce the rights

of the IP holder, in accordance with their internal guidelines. The
usual modes of enforcement by platforms include temporary
or permanent suspension or restriction of the infringing seller’s
accounts.

12.3 Reports or complaints of possible infringement shall be

transmitted by the DTI to the brand owners so that they may
check and report the same to the IPOPHL for action.

12.4 In addition to the IPOPHL, complaints regarding counterfeit and

pirated goods may also be brought before other regulatory
agencies having jurisdiction over the same such as, but not
limited to, the Optical Media Board and the FDA.

12.5 The following persons shall be liable for violations of RA. No.
8203:

12.5.1 The manufacturer, exporter or importer of the counterfeit

drugs and their agents, Provided, That the agents shall
be liable only upon proof of actual or constructive
knowledge that the drugs are counterfeit;

12.5.2 The seller, distributor, trafficker, broker or donor and their

agents, upon proof of actual or constructive knowledge
that the drugs sold, distributed, offered or donated are
counterfeit drugs;

12.5.3 The possessor of counterfeit drugs as provided in

Section 4 (b) of R.A. No. 8203;

1030 THE 2022 COMPENDIUM OF NPC ISSUANCES

 12.5.4 The manager, operator or lessee of the laboratory or
laboratory facilities used in the manufacture of counterfeit
drugs;

12.5.5 The owner, proprietor, administrator or manager of the

drugstore, hospital pharmacy or dispensary, laboratory
or other outlets or premises where the counterfeit drug
is found who induces, causes or allows the commission
of any act herein prohibited;

12.5.6 The registered pharmacist of the outlet where the

counterfeit drug is sold or found, who sells or dispenses
such drug to a third party and who has actual or
constructive knowledge that said drug is counterfeit; and

12.5.7 Should the offense be committed by a juridical person

the president, general manager, the managing partner,
chief operating officer or the person who directly
induces, causes or knowingly allows the commission of
the offense shall be penalized.

SEC. 13. LIABILITY OF E-COMMERCE PLATFORMS AND

E-MARKETPLACES.

13.1 E-Commerce platforms, a-marketplaces, and the like, shall be

treated, and shall be held liable, in the same manner as online
sellers, merchants, and a-retailers, when the latter commits
any violation of the laws implemented by these rules.

E-commerce platforms, a-marketplaces, and the like, shall verify

if the goods sold by online sellers or merchants, and e-retailers,
in their respective platforms are regulated, prohibited, original,
genuine, licensed, or unexpired.

13.2 In case of a prima facie violation of any pertinent laws or

regulations committed in an online post by the online seller
or merchant, a-retailer, e-commerce platform, a-marketplace,
and the like, the concerned authorized agency shall issue a
notice giving the violator a maximum period of three (3)
calendar days from receipt thereof, within which to take
down such post, without prejudice to the filing of appropriate

NPC CIRCULAR NO. 22-01 1031

 administrative actions against all violators.
Failure to take down the post within three (3) calendar days
shall be construed as an intentional and overt act that shall
aggravate the offense charged.

13.3 The written notice shall indicate specific information, such as,
but not limited to:

a. the URL of the content in question;

b. relevant provision or information on the asserted rights

or law infringed or violated; and

c. brief explanation of why the content infringes or violates

rights or the law.

13.4 E-commerce platforms, e-marketplaces, and the like, may

appeal the take down notice, following the procedures set
under the applicable laws if, in their reasonable determination,
there is no violation of any law or regulation. However, no
reposting may be allowed pending appeal.

13.5 Delivery platforms shall be liable in the same manner as, online
sellers, merchants, and a-retailers only upon notice that they
are carrying or delivering restricted, prohibited or infringing
items.

13.6 The term “use in commerce” under Section 155.1 of RA. No. 8293
shall include the act of sending marketing emails, publishing
advertisements online or through traditional media, and similar
acts designed to solicit business. The use of registered marks
as well as copies or reproductions thereof in marketing emails
and advertisements, without the authority of the trademark
owner, shall be deemed an act of infringement under Section
155.1 of R.A. No. 8293.

13.7 In general, it shall be unlawful for a-Commerce platforms,

a-marketplaces, and the like, to:

a. Disseminate or to cause the dissemination of any

1032 THE 2022 COMPENDIUM OF NPC ISSUANCES

 false, deceptive or misleading advertisement by mail
or in commerce by print, radio, television, outdoor
advertisement, or any other medium, for the purpose of
inducing or which is likely to induce directly or indirectly
the purchase of products or services;

b. Advertise any food, drug, cosmetic, device, or hazardous

substance in a manner that is false, misleading or
deceptive, or is likely to create an erroneous impression
regarding its character, value, quantity, composition,
merit, or safety;
c. Advertise any food, drug, cosmetic, device, or hazardous
substance, unless such product is duly registered and
approved by the concerned department for use in any
advertisement.

13.8 Regulatory Agencies shall designate in writing their respective

point of contact, who shall be fully authorized to issue notice
of violations to digital platforms and/or a-marketplaces.
Moreover, all regulatory agencies shall submit the names of
the designated point persons, including their contact details
(verified email address and mobile numbers) to DTI E-commerce
Division (DTI-ECD), for consolidation, within 7 days from the
effectivity of this JAO.

In case there will be changes on the designated point/focal

persons, including their contact details (verified email address
and active mobile numbers), the same shall be conveyed to
DTI-ECD, immediately.

13.9 Upon the effectivity of this JAO, a-Commerce platforms and

a-market places are directed to enact and strictly enforce
internal mechanisms or rules aimed to prohibit online sellers or
merchants, previously found administratively liable for violation
of any pertinent law, rule or regulation, from further selling,
posting or offering items for sale in their respective platforms.

Failure to enact, or strictly enforce, such internal mechanisms

or rules shall be construed as an intentional and overt act that
shall aggravate the offense charged.

NPC CIRCULAR NO. 22-01 1033

 IV. RESPONSIBILITIES OF GOVERNMENT AGENCIES

SEC. 14. RESPONSIBILITIES OF CONCERNED GOVERNMENT

AGENCIES.

The provisions of this JAO shall be implemented in full effect by the

concerned government agencies, in the exercise of their mandate
and jurisdiction, in order to establish a trustworthy and conducive
a-Commerce environment. Some of these agencies are:

14.1 The Department of Trade and Industry (DTI), with respect

to registration and monitoring of online sellers, merchants, or
a-retailers including handling of consumer complaints.

14.2 The Department of Agriculture (DA), with respect to the

monitoring and regulation of the manufacture and marketing
of agricultural products for the protection of the public from
the inherent risk of these products; and in the promotion and
protection of animal health and welfare. This shall cover the
following pertinent DA offices: (1) the Fertilizer and Pesticide
Authority (FPA) for fertilizers, pesticides and seeds with pip
and (2) the Bureau of Plant Industry (BPI) for seeds.

14.3 The Department of Environment and Natural Resources

(DENR), with respect to the monitoring and regulation of
the importation, manufacture, processing, handling, storage,
transport, sale, distribution, use and disposal of forest products,
derivatives, wildlife by-products, chemical substances,
mixtures, and chain saws that present unreasonable risk or
injury to health or to the environment in accordance with
national policies and international commitments.

14.4 The Department of Health (DOH), through the Food and

Drug Administration (FDA), with respect to the regulation of
the manufacture, importation, exportation, distribution, sale,
offer for sale, transfer, promotion, advertisement, sponsorship
of, and/or use and testing of health products, including food,
drugs, cosmetics, devices, biologicals, vaccines, in-vitro
diagnostic reagents, household/urban hazardous substances,
household/urban pesticides, toys and childcare articles to
protect the health of the consumer.

1034 THE 2022 COMPENDIUM OF NPC ISSUANCES

14.5 The Intellectual Property Office of the Philippines (IPOPHL),
with respect to the protection of intellectual property rights in
the conduct of e-commerce and its coordination with online
a-Commerce platforms and brand owners in the implementation
of the Memorandum of Understanding addressing counterfeit
and pirated goods online.

14.6 The National Privacy Commission (NPC), with respect to the

protection of data privacy rights and regulation of the processing
of personal data in the conduct of e-commerce transactions.

SEC. 15. JOINT UNDERTAKING OF GOVERNMENT AGENCIES.

This JAO shall enjoin all government agencies concerned to coordinate

and assist in the enforcement of this JAO, in respect to the matters
falling under their respective jurisdictions.

The above-mentioned government agencies shall undertake the

following:

15.1 Work with a-Commerce platforms to establish a mechanism to

prevent or remove or take down, within a reasonable period,
listings on online platforms of prohibited or regulated but
unregistered products;

15.2 Implement advocacy campaigns for consumers and businesses

on government regulations relative to the marketing, distribution
and sale of regulated products;

15.3 Explore the possibility of jointly developing a system with

a-Commerce platforms, including the use of an Application
Programming Interface (API), that will link each Party’s respective
systems to facilitate the transfer of information regarding
listing of keywords, images, and other information on regulated
products for regular sweeping by the online platforms; and

15.4 Develop a system to exchange intelligence/information on

prohibited and regulated items monitored online, including
automatic sharing of information with the appropriate regulatory
agency, on possible violations detected/discovered. this may
include the sharing of and access to a database of products/
items containing sufficient information, keywords, content, for
the purpose.

NPC CIRCULAR NO. 22-01 1035

 V. REMEDIES OF CONSUMERS

SEC.16. PROVISION OF ADEQUATE RIGHTS AND MEANS OF

REDRESS.

16.1 NO WRONG-DOOR POLICY - In accordance with Department

Administrative Order No. 20-02, series of 2020, any consumer
complaint filed with the DTI, whether or not the subject matter
falls under its jurisdiction, shall be accepted for appropriate
assistance, subject to the limitations imposed by law. The
Department shall assist the consumer by guiding them to and
forwarding their complaint to the appropriate agency having
proper jurisdiction over the subject matter.

16.2 CONSUMER COMPLAINTS MECHANISM - The handling of

consumer complaints shall be done in accordance with the
rules of the government agency having jurisdiction over the
product or service complained of. However, the consumer
may opt to seek primary resolution through the internal
complaint mechanism of the on line business before resorting
to intervention by the DTI or any other regulatory agency.
Where the DTI is concerned, complaints against online
businesses shall be made and handled in accordance with DTI
Department Administrative Order 20-02, series of 2020. The
established procedure for all types of consumer complaints
brought before the DTI, whether against offline (brick and
mortar) or online businesses shall apply to online consumers:

16.2.1 Online consumers may file complaints with the DTI

regarding their concerns via the following modes:

a. Walk-in at its national or provincial offices;

b. Consumer care hotline at 1-384;

c. SMS at 09178343330; and

d. Written complaints delivered through postal or

messengerial service

1036 THE 2022 COMPENDIUM OF NPC ISSUANCES

16.2.2 Complaints can also be filed electronically through any
of the following:

a. DTI website. Consumers must accomplish

Complaint Form

b. DTI Consumer Care Facebook page

c. Email to [email protected], [email protected].

ph or [email protected] addressed to the Director of
the Fair Trade Enforcement Bureau (FTEB) or the
appropriate official of any of the DTl’s provincial
offices, with the following details:

I. Complete name, address, email and contact

number of complainant with attached
government-issued ID

16.2.3 Complaint Handling Process

a. When DTI receives a consumer complaint, the

subject matter of which is within the ambit of its
primary jurisdiction, it shall schedule the parties
to the complaint for appropriate Mediation within
seven (7) days of receipt.
b. Upon agreement of both parties, Mediation may
be extended for no longer than ten (10) working
days.
c. If the controversy has not been resolved through
Mediation, the matter shall be scheduled for
Adjudication, and a decision shall be rendered
within fifteen (15) working days from submission
for decision.
d. The decision of the Consumer Arbitration Officer
shall become final within fifteen (15) days from
receipt thereof, unless appealed to the Secretary
of Trade and Industry. The Secretary shall render a
decision on appeal within thirty (30) working days
from the submission of appeal.
e. The decision of the Secretary of Trade shall
become final and executory after fifteen (15) days
from receipt thereof, unless a petition for certiorari

NPC CIRCULAR NO. 22-01 1037

 is filed with the proper court, in accordance with
Article 166 of the Consumer Act of the Philippines.
f. The Consumer complaints handling process flow
chart is hereby attached as Annex D.

16.3 Online sellers, merchants, or E-retailers and consumers are

advised that their communications, whether done via social
media, built-in communication services on e-commerce
platforms, or any other form of electronic communication
using an electronic device, may constitute an electronic data
message. Screenshots of such electronic communications
may be used as evidence to prove a fact or establish a right in
administrative or judicial proceedings, subject to the relevant
rules issued by the Supreme Court.

A.M. No. 01-7-01-SC provides for the Rules on Electronic

Evidence, to implement the legal recognition, admissibility, and
enforcement of electronic documents and signatures in court.

VI. PENALTIES

SEC.17. PENALTIES.

All online businesses may be held liable for violations against laws,
rules and regulations covered under this Joint Administrative Order
(JAO) and other applicable laws and issuances. Non-exhaustive list
of penalties is reflected in Annex E.

VII. FINAL PROVISIONS

SEC. 18. SEPARABILITY CLAUSE.

Should any provision of this Order or any part thereof be declared

unconstitutional or otherwise invalid, the validity of other provisions
not so declared shall not be affected by such declaration.

SEC. 19. REPEALING CLAUSE.

All previous Orders and Issuances which are inconsistent with this
Order are hereby repealed or amended accordingly.

1038 THE 2022 COMPENDIUM OF NPC ISSUANCES

SEC. 20. PUBLICATION AND EFFECTIVITY.

This Order shall take effect fifteen ( 15) days from its complete
publication in the Official Gazette or a newspaper of general
circulation, and the submission of a copy hereof to the Office of
the National Administrative Register (ONAR) of the University of the
Philippines.

Issued this 4th day of March 2022.

4th March

NPC CIRCULAR NO. 22-01 1039

1040 THE 2022 COMPENDIUM OF NPC ISSUANCES
ANNEX A: LIST OF PRODUCTS UNDER MANDATORY PRODUCT CERTIFICATION

LIST OF PRODUCTS UNDER MANDATORY PRODUCT CERTIFICATION

AS OF 25 JANUARY 2021
Philippine National Standard/s
Products
{as of Jan 25, 2021)

I. ELECTRONICS AND ELECTRICAL GOODS

Testing Duration: approx. 4-15 days

Household Appliances
PNS IEC 60335-2-80:2016 (IEC
Electric fans
published 2015)
PNS IEC 60335-2-3:2005 (IEC
Electric irons
published 2002)
PNS IEC 60335-2-14:2016 (IEC
Electric blenders
oublished 2012)
PNS IEC 60335-2-25:2015 (IEC
Microwave ovens
published 2014)
PNS IEC 60335-2-15:2015 (IEC
Electric rice cookers
oublished 2012)
PNS IEC 60335-2-15:2015 (IEC
Electric airpots
published 2012)
PNS IEC 60335-2-15:2015 (IEC
Electric coffeemakers
published 2012)
PNS IEC 60335-2-9:2016 (IEC
Electric toaster
published 2012)
PNS IEC 60335-2-9:2016 (IEC
Electric stoves
oublished 2012)
PNS IEC 60335-2-9:2016 (IEC
Electric hot plates
published 2012)
PNS IEC 60335-2-9:2016 (IEC
Electric grills
published 2012)
PNS IEC 60335-2-9:2016 (IEC
Electric ovens
oublished 2012)
PNS IEC 60335-2-9:2016 (IEC
Turbo broilers
oublished 2012)
PNS IEC 60335-2-9:2016 (IEC
Induction cookers
published 2012)
PNS IEC 60335-2-7:2016 (IEC
Washing machines
published 2012)
PNS IEC 60335-2-4:2016 (IEC
Spin extractors
Published 2012)
Refrigerators
Storage capacity 142 liters to 227 liters (5 to PNS 396-2:1997 Amd. 01 :2000
8 cu. ft.)
PNS IEC 60335-2-24:2013
Storaae caoacitv uo to 567 liters (20 cu. ft.)
Air conditioners
Non-inverter, Window & Split-type up to PNS 396-1 :1998
36,000 kJ/hr. cooling capacity

Inverter, non-inverter, window-type and split-

type air-conditioners, with not more than 250 PNS IEC 60335-2-40:2013
V for single phase and 600 V for all other
types and with cooling capacity up to 38,000
kJ/hr.
PNS IEC 60335-2-14:2016 (IEC
Electric juicers
published 2012)

NPC CIRCULAR NO. 22-01 1041

1042 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1043
1044 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1045
1046 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1047
1048 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1049
1050 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1051
1052 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1053
1054 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1055
1056 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1057
1058 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1059
1060 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1061
1062 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1063
1064 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1065
1066 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1067
1068 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1069
1070 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1071
1072 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1073
1074 THE 2022 COMPENDIUM OF NPC ISSUANCES
NPC CIRCULAR NO. 22-01 1075
ANNEX 1

REPUBLIC OF THE PHILIPPINES)

CIRCULARS
ANNEX 1
CITY OF _______________________) S.S.

SWORN DECLARATION AND UNDERTAKING FOR EXEMPTION

FROM REGISTRATION OF DATA PROCESSING SYSTEMS

I [Name of Data Protection Officer/Authorized Representative],

of legal age, and residing at [Address of DPO/Authorized
Representative], after having been duly sworn in accordance with
law, do hereby depose and state that:

1. I am the [Data Protection Officer (“DPO”) or Authorized

Representative] of [Name of PIC/PIP] with the following
contact details:
a. Office Address: ________________________;
b. DPO Name: (if through Authorized Representative);
c. DPO Email Address: ___________________; and
d. Contact Number: __________________;

2. I am duly authorized to issue this Sworn Declaration and

Undertaking on behalf of [Name of PIC/ PIP] as manifested in
the attached [proof of authority such as a Board Resolution
embodied in a Secretary’s Certificate];

3. [Name of PIC/PIP] does not meet the registration requirements

for all of the following reasons:
o [Name of PIC/PIP] employs less than two hundred fifty
(250) persons;
o the processing by [Name of PIC/PIP] does not include
sensitive personal information of at least one thousand
(1,000) individuals;
o [Name of PIC/PIP] does not process any information likely
to pose a risk to the rights and freedoms of data subjects
including those that involve information likely to affect
national security, public safety, public order, or public
health or information required by applicable laws or rules
to be confidential; vulnerable data subjects like minors,
the mentally ill, asylum seekers, the elderly, patients, those
involving criminal offenses, or in any other case where an
imbalance exists in the relationship between a data subject
and a PIC or PIP, especially those involving automated
decision-making or profiling; and

1076 THE 2022 COMPENDIUM OF NPC ISSUANCES

 o [Name of PIC/PIP] is not a government agency or
instrumentality;

4. I undertake that [Name of PIC/PIP] shall comply with orders

of the Commission requiring the submission of additional
documents and other relevant information, and that failure to
comply with such orders will be subject to fines and other
applicable penalties;

5. I undertake to immediately inform the Commission by filing a

new Sworn Declaration and Undertaking within ten (10) days
from any change in the declarations in number 1;

6. I undertake to immediately register with the Commission

within twenty (20) days from existence of facts showing that
the basis for this Sworn Declaration and Undertaking is no
longer true;

7. I am executing this Sworn Declaration and Undertaking to

attest to the truth of the foregoing statements and to comply
with the requirements of the Data Privacy Act, its Implementing
Rules and Regulations, and other relevant issuances of the
National Privacy Commission.

IN WITNESS WHEREOF, I have hereunto set my hand this _____

day of ______________, 20__ at ____________, Philippines.

[Name of Data Protection Officer/Authorized Representative]

Affiant

SUBSCRIBED AND SWORN to before me this ____ day of

______, 20__, Affiant exhibiting to me a competent proof of
identity ___________________________________ issued at
_____________________ on _______________________.

NOTARY PUBLIC
Doc No. _____;
Page No. ____;
Book No. ____;
Series of _____.

NPC CIRCULAR ANNEX 1 1077