Catanduanes State University

Virac, Catanduanes
______________________________________________________________________________

AEC 5 - Business Laws and Regulations

(MTh 5:30 – 7:00PM)

____________________________________________________

VI. Data Privacy Act

(REPUBLIC ACT 10173)

Members:
Sopranes, Cesar Aryan
Marcelo, Roselle
Serfino, Hannah

Submitted to:
Atty. Peter Villamor
 Table of Contents

Page Number

Data Privacy Act

Data Privacy Act (RA No. 10173) 3

A. Scope

Data Privacy Act Scope 3

B. Application of Data Privacy Act

Application 3

C. Processing of Data Privacy Act

Processing 4

Consent of the Data Subject 4

Processing of Personal, Sensitive Personal & Privilege Information 4

D. Data Privacy Principles

General Privacy Principles 4

General Principles in Collection, Processing and Retention 4

General Principles for Data Sharing 4

Criteria for Lawful Processing of Personal Information 5

Sensitive Personal Information and Privilege Information 5

Subcontract of Personal Information 5

Extension of Privilege Communication 6

Surveillance of Suspects and Interception of Recording of Communications 6

E. Rights of the Data Subjects

Data Subject 6

Transmissibility of Rights of the Data Subject 6

Right to Data Portability 7

Non-Applicability 7

REFERENCES
 DATA PRIVACY ACT
(Republic Act No. 10173)

The Data Privacy Act (Act) protects the right to privacy of an individual with regard to his
personal data. It imposes upon any person processing personal data the obligation to implement
security measures aimed at ensuring the confidentiality, integrity, and availability of an
individual’s personal data.

Data Privacy Act

Privacy
Right to be let alone.
Data Privacy
Right to keep personal information private.
Data Privacy Act
Protects persons against unauthorized and unnecessary processing of personal
information.

A. SCOPE

Data Privacy Act

Protects persons against UNAUTHORIZED and UNNECESSARY processing of
PERSONAL INFORMATION

Unauthorized Processing of Personal Information

– No informed consent to processing through transparency.
Unnecessary Processing of Personal Information
– No legitimate purpose to processing.
– Amount of processing is not proportionate to specified purpose.
Personal Information
– Can be used singly or collectively to reasonably ascertain the identity of an individual.

B. APPLICATION OF DATA PRIVACY ACT

The Act and these Rules apply to the processing of personal data by any natural and juridical
person in the government or private sector. They apply to an act done or practice engaged in and
outside of the Philippines if:
a. The natural or juridical person involved in the processing of personal data is found or
established in the Philippines;
b. The act, practice or processing relates to personal data about a Philippine citizen or
Philippine resident;
c. The processing of personal data is being done in the Philippines; or
d. The act, practice or processing of personal data is done or engaged in by an entity with
links to the Philippines.
 C. PROCESSING OF DATA PRIVACY ACT
Processing
– refers to any operation or any set of operations performed upon personal information.
Consent of the Data Subject
– refers to any freely given, specific, informed indication of will, whereby the data
subject agrees to the collection and processing of personal information about and/or
relating to him or her.

Processing of:
Personal Information
– May be processed if there is: (1) prior or immediate consent; or (2) lawful necessity.
Sensitive Personal Information
– May not be processed except if there is: (1) prior consent; or (2) non-commercial lawful
necessity.
Privileged Information
– May not be processed except if there is: (1) prior consent of all parties; or (2) lawful
necessity.

D. DATA PRIVACY PRINCIPLES

General Data Privacy Principles:

Transparency
– The data subject must be aware of the nature, purpose, and extent of the processing of
his or her personal data.
Legitimate Purpose
– The processing of information shall be compatible with a declared and specified purpose
which must not be contrary to law, morals, or public policy.
Proportionality
– The processing of information shall be suitable, necessary, and not excessive in relation
to a declared and specified purpose.

General Principles in Collection, Processing and Retention

a. Collection must be for a declared, specified, and legitimate purpose.
b. Personal data shall be processed fairly and lawfully.
c. Processing should ensure data quality.
d. Personal Data shall not be retained longer than necessary.
e. Any authorized further processing shall have adequate safeguards.

General Principles for Data Sharing

Further Processing of Personal Data collected from a party other than the Data Subject
shall be allowed under any of the following conditions:
a. Data sharing shall be allowed when it is expressly authorized by law: Provided, that
there are adequate safeguards for data privacy and security.
b. Data Sharing shall be allowed in the private sector if the data subject consents to data
sharing.
 c. Data collected from parties other than the data subject for purpose of research shall be
allowed when the personal data is publicly available, or has the consent of the data
subject for purpose of research.
d. Data sharing between government agencies for the purpose of a public function or
provision of a public service shall be covered a data sharing agreement.

Criteria for Lawful Processing of Personal Information:

(a) The data subject has given his or her consent;
(b) Necessary to fulfill a contract at the request of the data subject;
(c) Necessary for compliance with a legal obligation;
(d) Necessary to protect vitally important interests of the data subject, including life
and health;
(e) Necessary in order to respond to comply with the requirements of public order and
safety or to fulfill functions of public authority; or
(f) Necessary for the purposes of the legitimate interests of PIC to whom data is
disclosed, except where such interests are overridden by fundamental rights of the data
subject.

Sensitive Personal Information and Privilege Information

• Sensitive Personal Information
– Subset of Personal Information.
– May be used to damage or discriminate against a person
• Privileged Information
– Information intended only for specified recipients.

Sensitive Personal Information and Privilege Information

The processing of sensitive personal information and privileged information shall be
prohibited, except in the following cases:
(a) The data subject has given his or her consent, specific to the purpose prior to the
processing;
(b) Processing is provided for by laws and regulations with protection of information and
consent if required by such law;
(c) Necessary to protect the life and health of the data subject or another person, and the
data subject is not legally or physically able to express his or her consent;
(d) Necessary to achieve the lawful and noncommercial objectives of public
organizations: Provided information are not transferred to third parties and the consent
of the data subject was obtained;
(e) Necessary for purposes of medical treatment and is carried out by a medical
practitioner; or
(f) Necessary for the protection of lawful rights in court proceedings, or exercise of legal
claims, or when provided to government or public authority.

Subcontract of Personal Information

– A personal information controller may subcontract the processing of personal information:
Provided, That the personal information controller shall be responsible for ensuring that
proper safeguards are in place to ensure the confidentiality of the personal information
processed.
Extension of Privilege Communication
– Personal information controllers may invoke the principle of privileged communication
over privileged information that they lawfully control or process.

Surveillance of Suspects and Interception of Recording of Communications

– The processing of personal data for the purpose of surveillance, interception, or recording
of communications shall comply with the Data Privacy Act, including adherence to the
principles of transparency, proportionality, and legitimate purpose.

E. RIGHTS OF DATA SUBJECTS

The data subject is entitled to:

a. Right to be informed.
– The data subject has a right to be informed whether personal data pertaining to him or her
shall be, or have been processed, including the existence of automated decision-making
and profiling.
b. Right to object.
– The data subject shall have the right to object to the processing of his or her personal data,
including processing for direct, automated processing or profiling.
c. Right to Access.
– The data subject has the right to reasonable access to, upon demand, the following:
contents, sources, manner, information, date and designation of personal data.
d. Right to rectification.
– The data subject has the right to dispute the inaccuracy or error in the personal data and
have the personal information controller correct it immediately and accordingly.
e. Right to Erasure or Blocking.
– The data subject shall have the right to suspend, withdraw or order the blocking, removal
or destruction of his or her personal data from the personal information controller’s filing
system.
f. Right to damages.
– The data subject shall be indemnified for any damages sustained due to such inaccurate,
incomplete, outdated, unlawfully obtained or unauthorized use of personal data.

Data Subject
– An individual whose personal, sensitive personal, or privileged information is processed.
Personal Information Processor (PIP)
– Sub-contractor or outsources.
Personal Information Controller (PIC)
– Controls or instructs the collection, holding, processing or use of personal information.

Transmissibility of Rights of the Data Subject

– The lawful heirs and assigns of the data subject may invoke the rights of the data subject
for, which he or she is an heir or assignee at any time after the death or when the data
subject is incapacitated or incapable of exercising the rights.
Right to Data Portability
– The data subject shall have the right, where personal information is processed by
electronic means and in a structured and commonly used format, to obtain from the
personal information controller a copy of data undergoing processing in an electronic
or structured format, which is commonly used and allows for further use by the data
subject.

Non-Applicability
– The immediately preceding sections are not applicable if the processed personal
information are used only for the needs of scientific and statistical research and, on the
basis of such, no activities are carried out and no decisions are taken regarding the data
subject: Provided, That the personal information shall be held under strict confidentiality
and shall be used only for the declared purpose. Likewise, the immediately preceding
sections are not applicable to processing of personal information gathered for the purpose
of investigations in relation to any criminal, administrative or tax liabilities of a data
subject.

REFERENCES:
Bar Review Notes (2019)
Prepared by: Atty. Arnel D. Mateo
link: file:///C:/Users/Asus/Downloads/data-privacy-act-bar-review-notes-2019%20(1).pdf

UP Diliman Data Privacy Notes

link: file:///C:/Users/Asus/Downloads/UPD-Data_Privacy-Notes%20(1).pdf