Rule I.
Preliminary Provisions operation or set of operations on personal data
Section 1. Title. These rules and regulations shall be
known as the Implementing Rules and Regulations
of Republic Act No. 10173 known as the Data
Privacy Act of 2012, or the “Rules.”
Section 2. Policy. These rules and regulations
further enforce the Data Privacy Act and adopts
generally accepted international principles and
standards for data protection, safeguarding the
fundamental right of every individual to privacy
while supporting the free flow of information for
innovation, growth and national development.
These rules and regulations recognize the vital role
of information and communications technology in
nation-building and enforce the State’s inherent
obligation to ensure that personal data in
information and communications systems in the
government and in the private sector are secured
and protected.
Section 3. Definitions. Whenever used in these
Rules, the following terms shall have the respective
meanings hereafter set forth:
*security incident – an event or occurrence that
affects or tends to affect data protection, or that may
compromise the availability, integrity and
confidentiality of personal data, including those
incidents that would have resulted to a security
breach if not for safeguards in place
*data sharing – the disclosure or transfer of personal
data under custody of a natural or juridical person
or other entity involved in the processing of
personal data to a third party, excludes outsourcing
or instructions to personal information processor
*data processing systems – the structure and
procedure by whichpersonal data is collected and
further processed in an information and
communications system or relevant filing system,
including the purpose and intended output of the
processing
*automatic processing systems – the use of
information and communications system to perform
involving under a logical framework or automated
instructions
a. Act refers to the Data Privacy Act.
b. Breach is a security incident that leads to
unlawful or unauthorized processing of personal,
sensitive or privileged information, or that
otherwise compromises the availability, integrity or
confidentiality of personal data processed under the
control of a personal information controller.
c. Commission refers to the National Privacy
Commission created by virtue of the Data Privacy
Act. (Dug Christopher B. Mah is the new Deputy Privacy
Commissioner of the National Privacy Commission (NPC),
effective March 2022.)
d. Consent of the da ta subject refers to any freely
given, specific, informed indication of will,
whereby the data subject agrees tothe collection and
processing of his or her personal, sensitive or
privileged information. Consent shall be evidenced
by written, electronic or recorded means. It may
also be given on behalf of a data subject by a lawful
representative or an agent specifically authorized by
the data subject to do so.
e. Data subject refers to an individual whose
personal, sensitive or privileged information is
processed.
f. Direct marketing refers to communication by
whatever means of any advertising or marketing
material which is directed to particular individuals.
g. Filing system refers to any set of information
relating to natural or juridical persons to the extent
that, although the information is not processed by
equipment operating automatically in response to
instructions given for that purpose, the set is
structured, either by reference to individuals or by
reference to criteria relating to individuals, in such a
way that specific information relating to a particular
person is readily accessible.
h. Information and Communications System refers
to a system for generating, sending, receiving,
storing or otherwise processing electronic data
messages or electronic documents and includes the
computer system or other similar device by or
which data is recorded, transmitted or stored and
any procedure related to the recording, transmission
or storage of electronic data, electronic message, or
electronic document.
i. Personal data refers, to personal information,
sensitiveinformation and privileged information,
collectively, which are in an information and
communications system, or relevant filing system,
or intended to form part of the same. Personal data
is the term used when referring to personal
information, sensitive personal information and
privileged information collectively.
j. Personal information refers to any information
whether recorded in a material form or not, from
which the identity of an individual is apparent or
can be reasonably and directly ascertained by the
entity holding the information, or when put together
with other information would directly and certainly
identify an individual.
k. Personal information controller refers to a natural
or juridical person or any other body who controls
the processing of personal data or instructs another
to process personal data on his or her behalf. The
term excludes:
1. A natural or juridical person or any other body
who performs such functions on behalf of another;
or
2. A natural person who processes personal data in
connection with his or her personal, family or
household affairs. There is control if the natural or
juridical person or any other body decides on what
information is collected, or the purpose or extent of
processing.
l. Personal information processor refers to any
natural or juridical person or any other body to
whom a personal information controller may
outsource or instruct the processing of personal data
pertaining to a data subject.
m. Processing refers to any operation or any set of
operations performed upon personal data including,
but not limited to, the collection, recording,
organization, storage, updating or modification,
retrieval, consultation, use, consolidation, blocking,
erasure or destruction of data.
n. Privileged information refers to any and all forms
of data which under the Rules of Court and other
pertinent laws constitute privileged communication.
o. Sensitive personal information refers to personal
information:
1. About an individual’s race, ethnic origin, marital
status, age, color, and religious, philosophical or
political affiliations;
2. About an individual’s health, education, genetic
or sexual life of a person, or to any proceeding for
any offense committed or alleged to have been
committed by such person, the disposal of such
proceedings, or the sentence of any court in such
proceedings;
3. Issued by government agencies peculiar to an
individual which includes, but not limited to, social
security numbers, previous or current health
records, licenses or its denials, suspension or
revocation, and tax returns; and
4. Specifically established by an executive order or
an act of Congress to be kept classified.
Rule II. Scope of Application
Section 4. Scope. The Data Privacy Act and these
Rules apply to the processing of personal, sensitive
or privileged information, in the government or
private sector, under any of the following
conditions:
a. The natural or juridical person involved in the
processing of personal data is found or established
in the Philippines.
b. The act, practice or processing relates to personal
data about a Philippine citizen or Philippine
resident.
c. The processing of personal data is being done in
the Philippines.
d. The act, practice or processing of personal data is
done or engaged in by an entity with links to the
Philippines, which include:
1. Use of equipment located in the country, or
maintains an office, branch or agency in the
Philippines for processing of personal data;
2. A Contract entered in the Philippines;
3. A Juridical entity unincorporated in the
Philippines but has central management and control
in the country;
4. An entity that has a branch, agency, office or
subsidiary in the Philippines and the parent or
affiliate of the Philippine entity has access to
personal data; or
5. An entity that carries on business in the
Philippines
6. An entity collects and holds personal data in the
Philippines. Provided further, that the information is
not specifically excluded in the succeeding section.
Section 5. Non-applicability. The Data Privacy Act
does not apply to specific categories of information,
to the extent of allowable collection, access, use,
disclosure or other processing, laid down in the
succeeding paragraphs. The non-applicability does
not extend to the personal information controllers or
processors, which process the same or other
personal data, in a manner or for a purpose that is
not specifically provided in this section.
a. The Act and these Rules shall not be used to
restrict access to information that fall within matters
of public concern, and for this purpose shall not
apply to:
1. Information about any individual who is or was
an officer or employee of a government institution
that relates to the position or functions of the
individual, including:
(a)The fact that the individual is or was an officer or
employee of the government institution;
(b)The title, business address and office telephone
number of the individual;
(c) The classification, salary range and
responsibilities of the position held by the
individual; and
(d)The name of the individual on a document
prepared by the individual in the course of
employment with the government.
2. Information about an individual who is or was
performing service under contract for a government
institution only in so far as it relates to the services
performed, including the terms of the contract, and
the name of the individual given in the course of the
performance of those services;
3. Information relating to a benefit of a financial
nature conferred on an individual upon the
discretion of government, such as the granting of a
license or permit, including the name of the
individual and the exact nature of the benefit,
provided that benefits given in the course of an
ordinary transaction or as a matter of right are not
discretionary benefits under these Rules.
b. The Act and these Rules do not apply to personal
information processed for journalistic, artistic or
literary purpose,
undertaken with view to publication or exhibition,
subject to
requirements of fair and true reporting and other
applicable
law or regulations. Any natural or juridical person
or other
body who shall process the same personal
information for any
purpose other than journalistic, artistic or literary
expression,
shall be covered by the Act and these Rules.
c. The Act and these Rules do not apply to personal
information
that will be processed for purpose of scientific and
statistical
research only within the limits provided by Section
37 of these
Rules. Any other research shall be covered by the
Act, these
8
Rules and other issuances of the Commission, to the
end that
research purposes will be supported without
compromising
privacy and security of personal data.
d. The Act and these Rules do not apply to
information necessary
in order to carry out functions of public authority
only to the
extent of collection and further processing
consistent with a
constitutionally or statutorily mandated function
pertaining to
national security, law enforcement, taxation and
other
regulatory function, including the performance of
the functions
of the independent, central monetary authority. The
public
authority must process the information, mindful of
the rights of
the individual data subject to privacy and security,
and subject
to other restrictions provided by law. If processing
is by an
information processor, the responsibility of the
public authority
as personal information controller remains. Nothing
in this Act
shall be construed as to have amended or repealed
Republic
Act No. 1405, otherwise known as the Secrecy of
Bank Deposits
Act; Republic Act No. 6426, otherwise known as
the Foreign
Currency Deposit Act; and Republic Act No. 9510,
otherwise
known as the Credit Information System Act
(CISA).
e. The Act and these Rules do not apply to
information necessary
for banks and other financial institutions under the
jurisdiction
of the independent, central monetary authority or
Bangko
Sentral ng Pilipinas to comply with Republic Act
No. 9510, and
Republic Act No. 9160, as amended, otherwise
known as the
Anti-Money Laundering Act and other applicable
laws. Banks

and financial institutions involved in processing of

personal

data shall be covered by the act and these Rules

where the

information collected and processed to comply with

law will be

subjected to processing for other purpose.

f. The Rules shall not apply to personal information

originally

collected from residents of foreign jurisdictions in

accordance

with the laws of those foreign jurisdictions,

including any

applicable data privacy laws, which is being

processed in the

Philippines, with regard to its collection. The Act

and these

Rules shall apply to processing performed in the

Philippines,

taking into account the law of the foreign

jurisdiction with

regard to collection. The burden of proving the law

of the

foreign jurisdiction falls on the person or body

seeking

exemption. In the absence of proof, the applicable

law shall be

presumed to be that of the Philippines.