REPUBLIC ACT No.
10173 (b) Consent of the data subject refers to any
AN ACT PROTECTING INDIVIDUAL
PERSONAL INFORMATION IN
INFORMATION AND
COMMUNICATIONS SYSTEMS IN
THE GOVERNMENT AND THE
PRIVATE SECTOR, CREATING FOR
THIS PURPOSE A NATIONAL
PRIVACY COMMISSION, AND FOR
OTHER PURPOSES
CHAPTER I
GENERAL PROVISIONS
SEC. 1. Short Title- This Act shall be
known as the "Data Privacy Act of 2012",
SEC. 2. Declaration of Policy- It is the
policy of the State to protect the
fundamental human right of privacy, of
communication while ensuring free flow of
information to promote innovation and
growth. The State recognizes the vital role
of information and communications
technology in nation-building and its
inherent obligation to ensure that personal
information in information and
communications systems in the government
and in the private sector are secured and
protected.
SEC. 3. Definition of Terms- Whenever
used in this Act, the following terms shall
have the respective meanings hereafter set
forth:
(a) Commission shall refer to the National
Privacy Commission created by virtue of
this Act.
freely given, specific, informed indication of
will, whereby the data subject agrees to the
collection and processing of personal
information about and/or relating to him or
her. Consent shall be evidenced by written,
electronic or recorded means. It may also be
given on behalf of the data subject by an
agent specifically authorized by the data
subject to do so.
(c) Data subject refers to an individual
whose personal information is processed.
Data subject
It refers to an individual whose personal,
sensitive personal, or privileged information
is processed.
(d) Direct marketing refers to
communication by whatever means of any
advertising or marketing material which is
directed to particular individuals.
(e) Filing system refers to any act of
information relating to natural or juridical
persons to the extent that, although the
information is not processed by equipment
operating automatically in response to
instructions given for that purpose, the set is
structured, either by reference to individuals
or by reference to criteria relating to
individuals, in such a way that specific
information relating to a particular person is
readily accessible.
(f)Information and Communications System
refers to a system for generating, sending,
receiving, storing or otherwise processing
electronic data messages or electronic
documents and includes the computer
system or other similar device by or which
data is recorded, transmitted or stored and
any procedure related to the recording,
transmission or storage of electronic data,
electronic message, or electronic document.
(g) Personal information refers to any
information whether recorded in a material
form or not, from which the identity of an
individual is apparent or can be reasonably
and directly ascertained by the entity
holding the information, or when put
together with other information would
directly and certainly identify an individual.
(h) Personal information controller refers to
a person or organization who controls the
collection, holding, processing or use of
personal information, including a person or
organization who instructs another person or
organization to collect, hold, process, use,
transfer or disclose personal information on
his or her behalf. The term excludes:
(1) A person or organization who
performs such functions as instructed
by another person or organization;
and
(2) An individual who collects,
holds, processes or uses personal
information in connection with the
individual's personal, family or
household affairs.
(i) Personal information processor refers to
any natural or juridical person qualified to
act as such under this Act to whom a
personal information controller may
outsource the processing of personal data
pertaining to a data subject.
(j)Processing refers to any operation or any
set of operations performed upon personal
information including, but not limited to, the
collection, recording, organization, storage,
updating or modification, retrieval,
consultation, use, consolidation, blocking,
erasure or destruction of data.
Note:
Processing may be performed through
automated means, or manual processing, if
the personal data are contained or are
intended to be contained in a filing system.
(k) Privileged information refers to any and
all forms of data which under the Rules of
Court and other pertinent laws constitute
privileged communication.
(1) Sensitive personal information refers
to personal information:
1. About an individual’s race,
ethnic origin, marital status,
age, color, and religious,
philosophical or political
affiliations.
2. About an individual’s health,
education, genetic or sexual
life of a person, or to any
proceeding for any offense
committed or alleged to have
been committed by such
person, the disposal of such
proceedings, or the sentence
of any court in such
proceedings;
3. Issued by government
agencies peculiar to an
individual which Includes,
but not limited to, social
security numbers, previous or
current health records,
 licenses or its denials,
suspension or revocation, and
tax returns; and
4. Specifically established by an
executive order or an act of
Congress to be kept
classified.
Data processing systems
It refers to the structure and procedure by
which personal data is collected and further
processed in an information and
communications system or relevant filing
system, including the purpose and intended
output of the processing.
Data sharing
It is the disclosure or transfer to a third party
of personal data under the custody of a
personal information controller or personal
information processor. In the case of the
latter, such disclosure or transfer must have
been upon the instructions of the personal
information controller concerned. The term
excludes outsourcing, or the disclosure or
transfer of personal data by a personal
information controller to a personal
information processor.
Personal data
It refers to all types of personal information.
Personal data breach
It refers to a breach of security leading to the
accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored,
or otherwise processed.
Profiling
It refers to any form of automated
processing of personal data consisting of the
use of personal data to evaluate certain
personal aspects relating to a natural person,
in particular to analyze or predict aspects
concerning that natural person’s
performance at work, economic situation,
health, personal preferences, interests,
reliability, behavior, location or movements.
Public authority
It refers to any government entity created by
the Constitution or law, and vested with law
enforcement or regulatory authority and
functions.
Security incident
It is an event or occurrence that affects or
tends to affect data protection, or may
compromise the availability, integrity and
confidentiality of personal data. It includes
incidents that would result to a personal data
breach, if not for safeguards that have been
put in place.3
SEC. 4. Scope- This Act applies to the
processing of all types of personal
information and to any natural and juridical
person involved in personal information
processing including those personal
information controllers and processors who,
although not found or established in the (c) Information relating to any
Philippines, use equipment that are located discretionary benefit of a financial
in the Philippines, or those who maintain an nature such as the granting of a
office, branch or agency in the Philippines license or permit given by the
subject to the immediately succeeding government to an individual,
paragraph: Provided, That the requirements including the name of the individual
of Section 5 are complied with. and the exact nature of the benefit;
(d) Personal information processed for
journalistic, artistic, literary or
This Act does not apply to the following: research purposes;
(e) Information necessary in order to
(a) Information about any individual
carry out the functions of public
who is or was an officer or employee
authority which includes the
of a government institution that
processing of personal data for the
relates to the position or functions of
performance by the independent,
the individual, including:
central monetary authority and law
1) The fact that the individual is or was
enforcement and regulatory agencies
an officer or employee of the
of their constitutionally and
government institution;
statutorily mandated functions.
2) The title, business address and office
Nothing in this Act shall be
telephone number of the individual;
construed as to have amended or
3) The classification, salary range and
repealed Republic Act No. 1405,
responsibilities of the position held
otherwise known as the Secrecy of
by the individual; and
Bank Deposits Act; Republic Act No.
4) The name of the individual on a
6426, otherwise known as the
document prepared by the individual
Foreign Currency Deposit Act; and
in the course of employment with the
Republic Act No. 9510, otherwise
government;
known as the Credit Information
System Act (CISA);
(b) Information about an individual who
(f) Information necessary for banks and
is or was performing service under
other financial institutions under the
contract for a government institution
jurisdiction of the independent,
that relates to the services performed,
central monetary authority or
including the terms of the contract,
Bangko Sentral ng Pilipinas to
and the name of the Individual given
comply with Republic Act No. 9510,
in the course of the performance of
and Republic Act No. 9160, as
those services;
amended, otherwise known as the
Anti-Money Laundering Act and
other applicable laws; and
 (g) Personal information originally
collected from residents of foreign
jurisdictions in accordance with the
laws of those foreign jurisdictions,
including any applicable data privacy
laws, which is being processed in the
Philippines.
performing a service under
contract for a government
institution, but only in so far
as it relates to such service,
including the name of the
individual and the terms of
his or her contract;

R.A. 10173 and the Implementing Rules and 3. Information relating to a

Regulations shall not apply to the following benefit of a financial nature
specified information, only to the minimum conferred on an individual
extent of collection, access, use, disclosure upon the discretion of the
or other processing necessary to the purpose, government, such as the
function, or activity concerned: granting of a license or
permit, including the name of
a. Information processed for purpose of
the individual and the exact
allowing public access to
nature of the benefit:
information that fall within matters
Provided, that they do not
of public concern, pertaining to:
include benefits given in the
1. Information about any
course of an ordinary
individual who is or was an
transaction or as a matter of
officer or employee of the
right;
government that relates to his
or her position or functions,
including:
b. Personal information processed for
a) The fact that the individual is or was
journalistic, artistic or literary
an officer or employee of the
purpose, in order to uphold freedom
government;
of speech, of expression, or of the
b) The title, office address, and office
press, subject to requirements of
telephone number of the individual;
other applicable law or regulations;
c) The classification, salary range, and
responsibilities of the position held
c. Personal information that will be
by the individual; and
processed for research purpose,
d) The name of the individual on a
intended for a public benefit, subject
document he or she prepared in the
to the requirements of applicable
course of his or her employment with
laws, regulations, or ethical
the government.
standards;
2. Information about an
individual who is or was
 d. Information necessary in order to
carry out the functions of public
authority, in accordance with a
constitutionally or statutorily
mandated function pertaining to law
enforcement or regulatory function,
including the performance of the
functions of the independent, central
monetary authority, subject to
restrictions provided by law. Nothing
in this Act shall be construed as
having amended or repealed
Republic Act No. 1405, otherwise
known as the Secrecy of Bank
Deposits Act; Republic Act No.
6426, otherwise known as the
Foreign Currency Deposit Act; and
Republic Act No. 9510, otherwise
known as the Credit Information
System Act (CISA);
e. Information necessary for banks,
other financial institutions under the
jurisdiction of the independent,
central monetary authority or
Bangko Sentral ng Pilipinas, and
other bodies authorized by law, to the
extent necessary to comply with
Republic Act No. 9510 (CISA),
Republic Act No. 9160, as amended,
otherwise known as the Anti-Money
Laundering Act, and other applicable
laws;
f. Personal information originally collected
from residents of foreign jurisdictions in
accordance with the laws of those foreign
jurisdictions, including any applicable data
privacy laws, which is being processed in
the Philippines. The burden of proving the
law of the foreign jurisdiction falls on the
person or body seeking exemption. In the
absence of proof, the applicable law shall be
presumed to be R.A. 10173 and the Rules:
Provided, that the non-applicability of R.A.
10173 or the Rules do not extend to personal
information controllers or personal
information processors, who remain subject
to the requirements of implementing security
measures for personal data protection:
Provided further, that the processing of the
information provided in the preceding
paragraphs shall be exempted from the
requirements of R.A. 10173 only to the
minimum extent necessary to achieve the
specific purpose, function, or activity.
SEC. 5. Protection Afforded to Journalists
and Their Sources- Nothing in this Act
shall be construed as to have amended or
repealed the provisions of Republic Act No.
53, which affords the publishers, editors or
duly accredited reporters of any newspaper,
magazine or periodical of general circulation
protection from being compelled to reveal
the source of any news report or information
appearing in said publication which was
related in any confidence to such publisher,
editor, or reporter.
Protection afforded to Data Subjects
a. The personal information controller
or personal information processor
shall uphold the rights of data
subjects, and adhere to general data
privacy principles and the
requirements of lawful processing
 b. The burden of proving that R.A.
10173 and the Rules and Regulations
are not applicable to a particular
information falls on those involved
in the processing of personal data or
the party claiming the non-
applicability.
c. In all cases, the determination of any
exemption shall be liberally
interpreted in favor of the rights and
interests of the data subject.
Protection Afforded to Journalists and
their Sources
a. Publishers, editors, or duly
accredited reporters of any
newspaper, magazine or periodical of
general circulation shall not be
compelled to reveal the source of any
news report or information appearing
in said publication if it was related in
any confidence to such publisher,
editor, or reporter.
b. Publishers, editors, or duly
accredited reporters who are likewise
personal information controllers or
personal information processors
within the meaning of the law are
still bound to follow the Data
Privacy Act and related issuances
with regard to the processing of
personal data, upholding rights of
their data subjects and maintaining
compliance with other provisions
that are not incompatible with the
protection provided by Republic Act
No. 53.
What is Republic Act No. 53?
An Act to exempt the publisher, editor or
reporter of any publication from revealing
the source of published news or information
obtained in confidence.
SEC. 6. Extraterritorial Application- This
Act applies to an act done or practice
engaged in and outside of the Philippines by
an entity if:
a) The act, practice or processing
relates to personal information about
a Philippine citizen or a resident;
b) The entity has a link with the
Philippines, and the entity is
processing personal information in
the Philippines or even if the
processing is outside the Philippines
as long as it is about Philippine
citizens or residents such as, but not
limited to, the following:
1) A contract is entered in the
Philippines;
2) A juridical entity unincorporated
in the Philippines but has central
management and control in the
country; and
3) An entity that has a branch,
agency, office or subsidiary in the
Philippines and the parent or
affiliate of the Philippine entity has
access to personal information; and
c) ) The entity has other links in the
Philippines such as, but not limited
to:
1) The entity carries on business in
the Philippines; and
 2) The personal information was
collected or held by an entity in the
Philippines.
RA. 10173 and the Implementing Rules
and Regulations apply to the processing of
personal data by any natural and juridical
person in the government or private sector.
They apply to an act done or practice
engaged in and outside of the Philippines if:
a. The natural or juridical person
involved in the processing of
personal data is found or established
in the Philippines;
b. The act, practice or processing
relates to personal data about a
Philippine citizen or Philippine
resident;
c. The processing of personal data is
being done in the Philippines; or
d. .The act, practice or processing of
personal data is done or engaged in
by an entity with links to the
Philippines, with due consideration
to international law and comity, such
as, but not limited to, the following:
1. Use of equipment located in the
country, or maintains an office,
branch or agency in the Philippines
for processing of personal data;
2. A contract is entered in the
Philippines;
3. A juridical entity unincorporated in
the Philippines but has central
management and control in the
country;
4. An entity that has a branch, agency,
office or subsidiary in the Philippines
and the parent or affiliate of the
Philippine entity has access to
personal data;
5. An entity that carries on business in
the Philippines;
6. An entity that collects or holds
personal data in the Philippines.
CHAPTER II
THE NATIONAL PRIVACY
COMMISSION
The National Privacy Commission is an
independent body mandated to administer
and implement R.A. 10173, and to monitor
and ensure compliance of the country with
international standards set for personal data
protection.⁸
SEC. 7. Functions of the National Privacy
Commission. To administer and implement
the provisions of this Act, and to monitor
and ensure compliance of the country with
international standards set for data
protection, there is hereby created an
independent body to be known as the
National Privacy Commission, which shall
have the following functions:
a) Ensure compliance of personal
information controllers with the
provisions of this Act;
b) Receive complaints, institute
investigations, facilitate or enable
settlement of complaints through the
use of alternative dispute resolution
processes, adjudicate, award
indemnity on matters affecting any
personal information, prepare reports
on disposition of complaints and
 resolution of any investigation it h) Publish a compilation of agency
initiates, and, in cases it deems system of records and notices,
appropriate, publicize any such including index and other finding
report: Provided, That in resolving aids;
any complaint or investigation i) Recommend to the Department of
[except where amicable settlement is Justice (DOJ) the prosecution and
reached by the parties), the imposition of penalties specified in
Commission shall act as a collegial Sections 25 to 29 of this Act;
body. For this purpose, the j) Review, approve, reject or require
Commission may be given access to modification of privacy codes
personal information that is subject voluntarily adhered to by personal
of any complaint and to collect the information controllers:
information necessary to perform its
Provided, That the privacy codes shall
functions under this Act;
adhere to the underlying data privacy
c) Issue cease and desist orders, impose
principles embodied in this Act: Provided,
a temporary or permanent ban on the
further, That such privacy codes may include
processing of personal information,
private dispute resolution mechanisms for
upon finding that the processing will
complaints against any participating
be detrimental to national security
personal information controller. For this
and public interest;
purpose, the Commission shall consult with
d) Compel or petition any entity,
relevant regulatory agencies in the
government agency or
formulation and administration of privacy
instrumentality to abide by its orders
codes applying the standards set out in this
or take action on a matter affecting
Act, with respect to the persons, entities,
data privacy;
business activities and business sectors that
e) Monitor the compliance of other
said regulatory bodies are authorized to
government agencies or
principally regulate pursuant to the law:
instrumentalities on their security
Provided, finally, That the Commission may
and technical measures and
review such privacy codes and require
recommend the necessary action in
changes thereto for purposes of complying
order to meet minimum standards for
with this Act:
protection of personal information
pursuant to this Act; k) Provide assistance on matters
f) Coordinate with other government relating to privacy or data protection
agencies and the private sector on at the request of a national or local
efforts to formulate and implement agency, a private entity or any
plans and policies to strengthen the person;
protection of personal information in l) Comment on the implication on data
the country; privacy of proposed national or local
g) Publish on a regular basis a guide to statutes, regulations or procedures,
all laws relating to data protection; issue advisory opinions and interpret
 the provisions of this Act and other
data privacy laws;
m) Propose legislation, amendments or
modifications to Philippine laws on
privacy or data protection as may be
necessary;
n) Ensure proper and effective
coordination with data privacy
regulators in other countries and
private accountability agents,
participate in international and
regional initiatives for data privacy
protection;
o) Negotiate and contract with other
data privacy authorities of other
countries for cross-border application
and implementation of respective
privacy laws;
p) Assist Philippine companies doing
business abroad to respond to foreign
privacy or data protection laws and
regulations; and
q) Generally, perform such acts as may
be necessary to facilitate cross-
border enforcement of data privacy
protection.
The National Privacy Commission shall
have the following functions:
a. Rule Making
The Commission shall develop, promulgate,
review or amend rules and regulations for
the effective implementation of R.A. 10173.
This includes:
1. Recommending organizational,
physical and technical security
measures for personal data
protection, encryption, and access to
sensitive personal information
maintained by government agencies,
considering the most appropriate
standard recognized by the
information and communications
technology industry, as may be
necessary:
2. Specifying electronic format and
technical standards, modalities and
procedures for data portability, as
may be necessary;
3. Issuing guidelines for organizational,
physical, and technical security
measures for personal data
protection, taking into account the
nature of the personal data to be
protected, the risks presented by the
processing, the size of the
organization and complexity of its
operations, current data privacy best
practices, cost of security
implementation, and the most
appropriate standard recognized by
the information and communications
technology industry, as may be
necessary;
4. Consulting with relevant regulatory
agencies in the formulation, review,
amendment, and administration of
privacy codes, applying the standards
set out in R.A 10173, with respect to
the persons, entities, business
activities, and business sectors that
said regulatory bodies are authorized
to principally regulate pursuant to
law;
5. Proposing legislation, amendments
or modifications to Philippine laws
on privacy or data protection, as may
be necessary;

6. Ensuring proper and effective
coordination with data privacy
regulators in other countries and
private accountability agents, and
person, including the enforcement of
rights of data subjects; and
4. . Assisting Philippine companies
doing business abroad to respond to
data protection laws and regulations.

7. Participating in international and c. Public Education

regional initiatives for data privacy
The Commission shall undertake necessary
protection.
or appropriate effots to inform and educate
the public of data privacy, data protection,
and fair information rights and
b. Advisory
responsibilities. This includes:
The Commission shall be the advisory body
1. Publishing, on a regular basis, a
on matters affecting protection of personal
guide to all laws relating to data
data. This includes:
protection;
2. Publishing a compilation of agency
system of records and notices,
1. Commenting on the implication on
including index and other finding
data privacy of proposed national or
aids, and
local statutes, regulations or
3. Coordinating with other government
procedures, issuing advisory
agencies and the private sector on
opinions, and interpreting the
efforts to formulate and implement
provisions of R.A. 10173 and other
plans and policies to strengthen the
data privacy laws;
protection of personal data in the
2. Reviewing, approving, rejecting, or
country.
requiring modification of privacy
codes voluntarily adhered to by
personal information controllers,
d. Compliance and Monitoring
which may include private dispute
resolution mechanisms for The Commission shall perform compliance
complaints against any participating and monitoring functions to ensure effective
personal information controller, and implementation of R.A. 10173, the Rules,
which adhere to the underlying data and other Issuances. This includes:
privacy principles embodied in R.A.
1. Ensuring compliance by
10173 and the Rules;
personal information
3. Providing assistance on matters
controllers with the
relating to privacy or data protection
provisions of R.A. 10173;
at the request of a national or local
2. Monitoring the compliance of
agency, a private entity or any
all government agencies or
 instrumentalities as regards
their security and technical
measures, and recommending
the necessary action in orde
to meet minimum standards
for protection of personal
data pursuant to R.A. 10173;
3. Negotiating and contracting
with other data privacy
authorities of other countries
for cross-border application
and implementation of
respective privacy laws;
4. Generally performing such
acts as may be necessary to
facilitate cross-border
enforcement of data privacy
protection; and
5. Managing the registration of
personal data processing
systems in the country,
including the personal data
processing system of
contractors and their
employees entering into
contracts with government
agencies that involves
accessing or requiring
sensitive personal
information of at least 1,000
individuals.
e. Complaints and Investigations
The Commission shall adjudicate on
complaints and investigations on matters
affecting personal data: Provided, that in
f. Enforcement
resolving any complaint or investigation,
except where amicable settlement is reached
by the parties, the Commission shall act as a
The Commission shall perform all acts as
collegial body. This includes:
may be necessary to effectively implement
a. Receiving complaints and
instituting investigations
regarding violations of R.A.
10173, the Rules, and other
issuances of the Commission,
including violations of the
rights of data subjects and
other matters affecting
personal data;
b. Summoning witnesses, and
requiring the production of
evidence by a subpoena
duces tecum for the purpose
of collecting the information
necessary to perform its
functions under R.A. 10173:
Provided, that the
Commission may be given
access to personal data that is
subject of any complaint;
c. Facilitating or enabling
settlement of complaints
through the use of alternative
dispute resolution processes,
and adjudicating on matters
affecting any personal data;
and
d. Preparing reports on the
disposition of complaints and
the resolution of any
investigation it initiates, and,
in cases it deems appropriate,
publicizing such reports.
R.A. 10173, the Rules and Regulations, and
its other issuances, and to enforce its Orders,
Resolutions or Decisions, including the
imposition of administrative sanctions, fines,
or penalties. This includes:
1. Issuing compliance or enforcement
orders;
2. Awarding indemnity on matters affecting
any personal data, or rights of data subjects;
3. Issuing cease and desist orders, or
imposing a temporary or permanent ban on
the processing of personal data, upon finding
that the processing will be detrimental to
national security or public interest, or if it is
necessary to preserve and protect the rights
of data subjects;
4. Recommending to the Department of
Justice (DOJ) the prosecution of crimes and
imposition of penalties specified in R.A.
10173;
5. Compelling or petitioning any entity,
government agency, or instrumentality, to
abide by its orders or take action on a matter
affecting data privacy; and
6. Imposing administrative fines for
violations of R.A. 10173, the Rules and
Regulations, and other issuances of the
Commission.
g. Other functions.
The Commission shall exercise such other
functions as may be necessary to fulfill its
mandate under R.A. 10173.⁹
Administrative Issuances
The Commission shall publish or issue
official directives and administrative
issuances, orders, and circulars, which
include:
a. Rules of procedure in the exercise of
its quasi-judicial functions, subject to
the suppletory application of the
Rules of Court;
b. Schedule of administrative fines and
penalties for violations of R.A.
10173, the Rules, and issuances or
Orders of the Commission, including
the applicable fees for its
administrative services and filing
fees;
c. Procedure for registration of data
processing systems, and notification;
and
d. Other administrative issuances
consistent with its mandate and other
functions. 10
SEC. 8. Confidentiality- The Commission
shall ensure at all times the confidentiality of
any personal information that comes to its
knowledge and possession.
Members, employees, and consultants of the
Commission shall ensure at all times the
confidentiality of any personal data that
come to their knowledge and possession:
Provided, that such duty of confidentiality
shall remain even after their term,
employment, or contract has ended.11
SEC. 9. Organizational Structure of the or she shall be liable for willful or negligent
Commission- The Commission shall be acts done by him or her which are contrary
attached to the Department of Information to law, morals, public policy and good
and Communications Technology (DICT) customs even if he or she acted under orders
and shall be headed by a Privacy or instructions of superiors: Provided, That
Commissioner, who shall also act as in case a lawsuit is filed against such official
Chairman of the Commission. The Privacy on the subject of the performance of his or
Commissioner shall be assisted by two (2) her duties, where such performance is
Deputy Privacy Commissioners, one to be lawful, he or she shall be reimbursed by the
responsible for Data Processing Systems and Commission for reasonable costs of
one to be responsible for Policies and litigation.
Planning. The Privacy Commissioner and
the two (2) Deputy Privacy Commissioners
shall be appointed by the President of the Note:
Philippines for a term of three (3) years, and
Qualified employees of the Commission
may be reappointed for another term of three
shall be covered by Republic Act No. 8349,
(3) years. Vacancies in the Commission shall
which provides a magna carta for scientists,
be filled in the same manner in which the
engineers, researchers, and other science
original appointment was made. The Privacy
and technology personnel in the
Commissioner must be at least thirty-five
government.12
(35) years of age and of good moral
character, unquestionable integrity and
known probity, and a recognized expert in
SEC. 10. The Secretariat- The Commission
the field of information technology and data
is hereby authorized to establish a
privacy. The Privacy Commissioner shall
Secretariat. Majority of the members of the
enjoy the benefits, privileges and
Secretariat must have served for at least five
emoluments equivalent to the rank of
(5) years in any agency of the government
Secretary. The Deputy Privacy
that is involved in the processing of personal
Commissioners must be recognized experts
information including, but not limited to, the
in the field of information and
following offices: Social Security System
communications technology and data
(SSS), Government Service Insurance
privacy. They shall enjoy the benefits,
System (GSIS), Land Transportation Office
privileges and emoluments equivalent to the
(LTO), Bureau of Internal Revenue (BIR),
rank of Undersecretary.
Philippine Health Insurance Corporation
(PhilHealth), Commission on Elections
(COMELEC), Department of Foreign
The Privacy Commissioner, the Deputy
Affairs (DFA), Department of Justice (DOJ),
Commissioners, or any person acting on
and Philippine Postal Corporation
their behalf or under their direction, shall not
(Philpost).
be civilly liable for acts done in good faith in
the performance of their duties, However, he
 Personal information must be:
The Commission is authorized to establish a
Secretariat, which shall assist in the
performance of its functions. The Secretariat
shall be headed by an Executive Director
and shall be organized according to the
following offices:
a. Data Security and Compliance
Office;
b. Legal and Enforcement Office;
c. Finance and Administrative Office;
d. Privacy Policy Office; and
e. Public Information and Assistance
Office.
Majority of the members of the
Secretariat, in so far as practicable, must
have served for at least 5 years in any
agency of the government that is involved in
the processing of personal data including,
but not limited to, the following offices:
Social Security System (SSS), Government
Service Insurance System (GSIS), Land
Transportation Office (LTO), Bureau of
Internal Revenue (BIR), Philippine Health
Insurance Corporation
CHAPTER III
PROCESSING OF PERSONAL
INFORMATION
SEC. 11. General Data Privacy
Principles- The processing of personal
information shall be allowed, subject to
compliance with the requirements of this Act
and other laws allowing disclosure of
information to the public and adherence to
the principles of transparency, legitimate
purpose and proportionality.
a. Collected for specified and
legitimate purposes determined and
declared before, or as soon as
reasonably practicable after
collection, and later processed in a
way compatible with such declared,
specified and legitimate purposes
only;
b. Processed fairly and lawfully;
c. Accurate, relevant and, where
necessary for purposes for which it is
to be used the processing of personal
information, kept up to date;
inaccurate or incomplete data must
be rectified.
d. Supplemented, destroyed or their
further processing restricted; d)
Adequate and not excessive in
relation to the purposes for which
they are collected and processed;
e. Retained only for as long as
necessary for the fulfillment of the
purposes for which the data was
obtained or for the establishment,
exercise or defense of legal claims,
or for legitimate business purposes,
or as provided by law; and
f. Kept in a form which permits
identification of data subjects for no
longer than is necessary for the
purposes for which the data were
collected and processed: Provided,
That personal information collected
for other purposes may be processed
for historical, statistical or scientific
purposes, and in cases laid down in
law may be stored for longer periods:
Provided, further, That adequate
 safeguards are guaranteed by said
laws authorizing their processing.
The personal Information controller must
ensure implementation of personal
information processing principles set out
herein.
PRINCIPLES OF TRANSPARENCY,
LEGITIMATE PURPOSE AND
PROPORTIONALITY
The processing of personal data shall be
allowed subject to adherence to the
principles of transparency, legitimate
purpose, and proportionality.
I. Transparency
The data subject must be aware of the
nature, purpose, and extent of the processing
of his or her personal data, including the
risks and safeguards involved, the identity of
personal information controller, his or her
rights as a data subject, and how these can
be exercised. Any information and
communication relating to the processing of
personal data should be easy to access and
understand using clear and plain language.
II. Legitimate purpose
The processing of information shall be
compatible with a declared and specified
purpose which must not be contrary to law,
morals, or public policy.
III. Proportionality
The processing of information shall be
adequate, relevant, suitable, necessary, and
not excessive in relation to a declared and
specified purpose. Personal data shall be
processed only if the purpose of the
processing could not reasonably be fulfilled
by other means. 14
GENERAL PRINCIPLES IN
COLLECTION, PROCESSING AND
RETENTION
The processing of personal data shall adhere
to the following general principles in the
collection, processing, and retention of
personal data:
I. Collection must be for a
declared, specified, and
legitimate purpose
1. Consent is required prior to
the collection and processing
of personal data, subject to
exemptions provided by R.A.
10173 and other applicable
laws and regulations. When
consent is required, it must be
time-bound in relation to the
declared. Specified and
legitimate purpose. Consent
given may be withdrawn.
2. The data subject must be
provided specific information
regarding the purpose and
extent of processing,
including, where applicable,
the automated processing of
his or her personal data for
profiling or processing for
direct marketing, and data
sharing,
3. Purpose should be
determined and declared
 before, or as soon as
reasonably practicable, after
collection.
4. Only personal data that is
necessary and compatible
with declared specified, and
legitimate purpose shall be
collected.
II. Personal data shall be
processed fairly and lawfully
1. Processing shall uphold the rights of
the data subject, including the right
to refuse, withdraw consent, or
object. It shall likewise be
transparent, and allow the data
subject sufficient information to
know the nature and extent of
processing.
2. Information provided to a data
subject must always be in clear ans
plain language to ensure that they are
easy to understand and access.
3. Processing must be in a manner
compatible with declared, specified,
and legitimate purpose.
4. Processed personal data should be
adequate, relevant, and limited to
what is necessary in relation to the
purposes for which they are
processed.
5. Processing shall be undertaken in a
manner that ensures appropriate
privacy and security safeguards.
III. Processing should ensure data
quality
1. Personal data should be
accurate and where necessary
for declared, specified and
legitimate purpose, kept up to
date.
2. Inaccurate or incomplete data
must be rectified,
supplemented, destroyed or
their further processing
restricted.
IV. Personal Data shall not be
retained longer than necessary
1. Retention of personal data
shall only for as long as
necessary:
a) For the fulfillment of the declared,
specified, and legitimate purpose, or
when the processing relevant to the
purpose has been terminated:
b) For the establishment, exercise or
defense of legal claims; or
c) For legitimate business purposes,
which must be consistent with
standards followed by the applicable
industry or approved by appropriate
government agency.
V. Any authorized further processing shall
have adequate safeguards
1. Personal data originally
collected for a declared,
specified, or legitimate
purpose may be processed
further for historical,
statistical, or scientific
purposes, and, in cases laid
down in law, may be stored
for longer periods, subject to
implementation of the
appropriate organizational,
physical, and technical
 security measures required by 2. Data sharing for commercial purposes,
R.A. 10173 in order to including direct marketing, shall be covered
safeguard the rights and by a data sharing agreement.
freedoms of the data subject.
a. The data sharing agreement shall
2. Personal data which is
establish adequate safeguards for
aggregated or kept in a form
data privacy and security, and uphold
which does not permit
rights of data subjects.
identification of data subjects
b. The data sharing agreement shall be
may be kept longer than
subject to review by the
necessary for the declared,
Commission, on its own initiative or
specified, and legitimate
upon complaint of data subject.
purpose.
3. Personal data shall not be
retained in perpetuity in
3.The data subject shall be provided with the
contemplation of a possible
following information prior to collection or
future use yet to be
before data is shared:
determined. 15
a) Identity of the personal information
GENERAL PRINCIPLES FOR DATA
controllers or personal information
SHARING
processors that will be given access
Further Processing of Personal Data to the personal data;
collected from a party other than the Data b) Purpose of data sharing:
Subject shall be allowed under any of the c) Categories of personal data
following conditions: concerned;
d) Intended recipients or categories of
A. Data sharing shall be allowed when it is
recipients of the personal data;
expressly authorized by law: Provided, that
e) Existence of the rights of data
there are adequate safeguards for data
subjects, including the right to access
privacy and security, and processing adheres
and correction, and the right to
to principle of transparency, legitimate
object; and
purpose and proportionality.
f) Other information that would
B. Data Sharing shall be allowed in the sufficiently notify the data subject of
private sector if the data subject consents the nature and extent of data sharing
to data sharing, and the following conditions and the manner of processing.
are complied with:
4)Further processing of shared data shall
1. Consent for data sharing shall be required adhere to the data privacy principles laid
even when the data is to be shared with an down in R.A. 10173, the Rules, and
affiliate or mother company, or similar other issuances of the Commission.
relationships:
 C. Data collected from parties other
than the data subject for purpose of
research shall be allowed when the
personal data is publicly available, or
has the consent of the data subject
for purpose of research: Provided,
that adequate safeguards are in place,
and no decision directly affecting the
data subject shall be made on the
basis of the data collected or
processed. The rights of the data
subject shall be upheld without
compromising research integrity.
D. Data sharing between government
agencies for the purpose of a public
function or provision of a public
service shall be covered by a data
sharing agreement.
1. Any or all government agencies,
party to the agreement, shall comply
with R.A. 10173, the Rules and
Regulations, and all other issuances
of the Commission, including putting
in place adequate safeguards for data
privacy and security.
2. The data sharing agreement shall be
subject to review of the Commission,
on its own initiative or upon
complaint of data subject. 16
SEC. 12. Criteria for Lawful Processing
of Personal Information- The processing of
personal information shall be permitted only
if not otherwise prohibited by law, and when
at least one of the following conditions
exists:
a) The data subject has given his or her
consent;
b) The processing of personal
information is necessary and is
related to the fulfillment of a contract
with the data subject or in order to
take steps at the request of the data
subject prior to entering into a
contract;
c) The processing is necessary for
compliance with a legal obligation to
which the personal information
controller is subject:
d) The processing is necessary to
protect vitally important interests of
the data subject, including life and
health;
e) The processing is necessary in order
to respond to national emergency, to
comply with the requirements of
public order and safety, or to fulfill
functions of public authority which
necessarily includes the processing
of personal data for the fulfillment of
its mandate; or
f) The processing is necessary for the
purposes of the legitimate interests
pursued by the personal information
controller or by a third party or
parties to whom the data is disclosed,
except where such interests are
overridden by fundamental rights
and freedoms of the data subject
which require protection under the
Philippine Constitution.
SEC. 13. Sensitive Personal Information
and Privileged Information– The
processing of sensitive personal information
and privileged information shall be
prohibited, except in the following cases:
a) The data subject has given his or her an adequate level of protection of
consent, specific to the purpose prior personal information is ensured; or
to the processing, or in the case of f) The processing concerns such
privileged information, all parties to personal information as is necessary
the exchange have given their for the protection of lawful rights
consent prior to processing; and interests of natural or legal
b) The processing of the same is persons in court proceedings, or the
provided for by existing laws and establishment, exercise or defense of
regulations: Provided, That such legal claims, or when provided to
regulatory enactments guarantee the government or public authority.
protection of the sensitive personal
information and the privileged
SEC. 14. Subcontract of Personal
information: Provided, further, That
Information- A personal information
the consent of the data subjects are
controller may subcontract the
not required by law or regulation
processing of personal information:
permitting the processing of the
Provided, That the personal information
sensitive personal information or the
controller shall be responsible for
privileged information;
ensuring that proper safeguards are in
c) The processing is necessary to
place to ensure the confidentiality of the
protect the life and health of the data
personal information processed, prevent
subject or another person, and the
its use for unauthorized purposes, and
data subject is not legally or
generally, comply with the requirements
physically able to express his or her
of this Act and other laws for processing
consent prior to the processing:
of personal information. The personal
d) The processing is necessary to
information processor shall comply with
achieve the lawful and
all the requirements of this Act and other
noncommercial objectives of public
applicable laws.
organizations and their associations:
Provided, That such processing is
only confined and related to the bona
SEC. 15. Extension of Privileged
fide members of these organizations
Communication. Personal information
or their associations: Provided,
controllers may invoke the principle of
further, That the sensitive personal
privileged communication over privileged
information are not transferred to
information that they lawfully control or
third parties: Provided, finally, That
process. Subject to existing laws and
consent of the data subject was
regulations, any evidence gathered on
obtained prior to processing:
privileged information is inadmissible.
e) The processing is necessary for
purposes of medical treatment
carried out by a medical practitioner
or a medical treatment institution and
 When the Commission inquires upon
communication claimed to be privileged, the
personal information controller concerned
shall prove the nature of the communication
in an executive session. Should the
communication be determined as privileged,
it shall be excluded from evidence, and the
contents thereof shall not form part of the
records of the case: Provided, that where the
privileged communication itself is the
subject of a breach, or a privacy concern or
investigation, it may be disclosed to the
Commission but only to the extent necessary
for the purpose of investigation, without
including the contents thereof in the
records.17
Note:
Section 7 of Republic Act No. 9372,
otherwise known as the “Human Security
Act of 2007”, is hereby amended to include
the condition that the processing of personal
data for the purpose of surveillance,
interception, or recording of
communications shall comply with the Data
Privacy Act, including adherence to the
principles of transparency, proportionality,
and legitimate purpose. 18
CHAPTER IV
RIGHTS OF THE DATA SUBJECT
SEC. 16. Rights of the Data Subject- The
data subject is entitled to:
(a) Be informed whether personal
information pertaining to him or her
shall be, are being, or have been
processed;
(b) Be furnished the information
indicated hereunder before the entry
of his or her personal information
into the processing system of the
personal information controller, or at
the next practical opportunity:
1) Description of the personal
information to be entered into the
system;
2) Purposes for which they are being or
are to be processed;
3) Scope and method of the personal
information processing:
4) The recipients or classes of recipients
to whom they are or may be
disclosed;
5) Methods utilized for automated
access, if the same is allowed by the
data subject, and the extent to
whichh such access is authorized;
6) The identity and contact details of
the personal information controller
or its representative;
7) The period for which the information
will be stored; and
8) The existence of their rights, i.e., to
access, correction, as well as
the right to lodge a complaint before the
Commission.
 Any information supplied or declaration
made to the data subject on these matters
shall not be amended without prior
notification of data subject: Provided, That
the notification under subsection (b) shall
not apply should the personal information be
needed pursuant to a subpoena or when the
collection and processing are for obvious
purposes, including when it is necessary for
the performance of or in relation to a
contract or service or when necessary or
desirable in the context of an employer.
Employee relationship, between the
collector and the data subject, or when the
information is being collected and processed
as a result of legal obligation;
(c) Reasonable access to, upon demand,
the following:
1) Contents of his or her personal
information that were processed;
2) Sources from which personal
information were obtained;
3) Names and addresses of recipients of
the personal information:
4) Manner by which such data were
processed:
5) Reasons for the disclosure of the
personal information to recipients;
6) Information on automated processes
where the data will or likely to be
made as the sole basis for any
decision significantly affecting or
will affect the data subject;
7) Date when his or her personal
information concerning the data
subject were last accessed and
modified; and
8) The designation, or name or identity
and address of the personal
information controller;
(d) Dispute the inaccuracy or error in the
personal information and have the
personal information controller
correct it immediately and
accordingly, unless the request is
vexatious or otherwise unreasonable.
If the personal information have been
corrected, the personal information
controller shall ensure the
accessibility of both the new and the
retracted information and the
simultaneous receipt of the new and
the retracted information by
recipients thereof: Provided, That the
third parties who have previously
received such processed personal.
Information shall be informed of its
inaccuracy and its rectification upon
reasonable request of the data
subject;
(e) Suspend, withdraw or order the
blocking, removal or destruction of
his or her personal information from
the personal information controller’s
filing system upon discovery and
substantial proof that the personal
information are incomplete,
outdated, false, unlawfully obtained,
used for unauthorized purposes or
are no longer necessary for the
purposes for which they were
collected. In this case, the personal
information controller may notify
third parties who have previously
received such processed personal
information; and

(f) Be indemnified for any damages
sustained due to such inaccurate,
incomplete, outdated, false,
unlawfully obtained or unauthorized
use of personal information.
RIGHTS OF THE DATA SUBJECT
The data subject is entitled to the following
rights:
a. Right to be informed
1. The data subject has a right to be
informed whether personal data
pertaining to him or her shall be, are
being, or have been processed,
including the existence of automated
decision-making and profiling
2. The data subject shall be notified and
furnished with information indicated
hereunder before the entry of his or
her personal data into the processing
system of the personal information
controller, or at the next practical
opportunity:
a. Description of the personal data to be
entered into the system;
b. Purposes for which they are being or
will be processed, including
processing for direct marketing,
profiling or historical, statistical or
scientific purpose;
c. Basis of processing, when processing
is not based on the consent of the
data subject,
d. Scope and method of the personal
data processing:
e. The recipients or classes of recipients
to whom the personal data are or
may be disclosed,
f. Methods utilized for automated
access, if the same is allowed by the
data subject, and the extent to which
such access is authorized, including
meaningful information about the
logic involved, as well as the
significance and the envisaged
consequences of such processing for
the data subject:
g. The identity and contact details of
the personal data controller or its
representative;
h. The period for which the information
will be stored, and
i. The existence of their rights as data
subjects, including the right to
access, correction, and object to the
processing, as well as the right to
lodge a complaint before the
Commission.
b. Right to object
The data subject shall have the
right to object to the processing of
his or her personal data, including
processing for direct marketing,
automated processing or profiling.
The data subject shall also be
notified and given an opportunity to
withhold consent to the processing in
case of changes or any amendment to
the information supplied or declared
to the data subject in the preceding
paragraph.
When a data subject objects or
withholds consent, the personal
information controller shall no
 longer process the personal data,
unless:
1. The personal data is needed
pursuant to a subpoena:
2. The collection and processing
are for obvious purposes
including when it is
necessary for the
performance of or in relation
to a contract or service to
which the data subject is a
party, or when necessary or
desirable in the context of an
employer-employee
relationship between the
collector and the data subiect
or
3. The information is being
collected and processed as a
result of a legal obligation.
c. Right to Access
The data subject has the right to
reasonable access to upon demand the
following:
1. Contents of his or her personal
data that were processed:
2. 2. Sources from which personal
data were obtained:
3. Names and addresses of
recipients of the personal data:
4. Manner by which such data were
processed:
5. Reasons for the disclosure of the
personal data to recipients if any
6. Information on automated
processes where the data will or
is likels to, be made as the sole
basis for any decision that
significantly affects or will affect
the data subject:
7. Date when his or her personal
data concerning the data subject
were last accessed and modified:
and
8. The designation, name or
identity, and address of the
personal information controller.
d. Right to rectification
The data subject has the right to dispute
the inaccuracy or error in the personal data
and have the personal information controller
correct it immediately and accordingly,
unless the request is vexatious or otherwise
unreasonable. If the personal data has been
corrected, the personal information
controller shall ensure the accessibility of
both the new and the retracted information
and the simultaneous receipt of the new and
the retracted information by the intended
recipients thereof: Provided, That recipients
or third parties who have previously
received such processed personal data shall
be informed of its inaccuracy and its
rectification, upon reasonable request of the
data subject.
e. Right to Erasure or Blocking
The data subject shall have the right to
suspend, withdraw or order the blocking,
removal or destruction of his or her personal
data from the personal information
controller’s filing system.
1. This right may be exercised upon
discovery and substantial proof
of any of the following:
 a) The personal data is
incomplete, outdated,
false, or unlawfully
obtained:
b) The personal data is being
used for purpose not
authorized by the data
subject: el
c) The personal data is no
longer necessary for the
purposes for which they
were collected
d) The data subiect
withdraws consent or
objects to the processing
and there is no other legal
ground or overriding
legitimate interest for the
processing
e) The personal data
concerns private
information that is
presudicial to data
subiect, unless justified
by freedom of speech. Of
expression or of the press
or otherwise authorized
f) The processing Is
unlawful and
g) The personal information
controller or personal
information processor
violated the rights of the
data subiect
f. Right to damages
The data subiect shall be indemmfied for
any damages sustained due in such
inaccurate, incomplete, outdated, false,
unlawfully obtained or unauthorized use of
personal data, taking into account any
violation of his or her rights and freedoms as
data subiect.
SEC. 17. Transmissibility of Rights of the
Data Subject- The lawful heirs and assigns
of the data subject may invoke the rights of
the data subject for, which he or she is an
heir or assignee at any time after the death of
the data subject or when the data subject is
incapacitated or incapable of exercising the
rights as enumerated in the immediately
preceding section.
SEC. 18. Right to Data Portability- The
data subject shall have the right, where
personal information is processed by
electronic means and in a structured and
commonly used format, to obtain from the
personal information controller a copy of
data undergoing processing in an electronic
or structured format, which is commonly
used and allows for further use by the data
subject. The Commission may specify the
electronic format referred to above, as well
as the technical standards, modalities and
procedures for their transfer.

SEC. 19. Non-Applicability- The

2. The personal information
immediately preceding sections are
controller may notify third
not applicable if the processed
parties who have previously
personal information are used only
received such processed personal
for the needs of scientific and
information.
statistical research and, on the basis
of such, no activities are carried out
and no decisions are taken regarding
the data subject: Provided, That the
personal information shall be held
under strict confidentiality and shall
be used only for the declared
purpose. Likewise, the immediately
preceding sections are not applicable
to processing of personal information
gathered for the purpose of
investigations in relation to any
criminal, administrative or tax
liabilities of a data subject.
CHAPTER V
SECURITY OF PERSONAL
INFORMATION
SEC. 20. Security of Personal
Information. –
(a) The personal information
controller must implement
reasonable and appropriate
organizational, physical and
technical measures intended
for the protection of personal
information against any
accidental or unlawful
destruction, alteration and
disclosure, as well as against
any other unlawful
processing.
(b) The personal information
controller shall implement
reasonable and appropriate
measures to protect personal
information against natural
dangers such as accidental
loss or destruction, and
human dangers such as
unlawful access, fraudulent
misuse, unlawful destruction,
alteration and contamination.
(c) The determination of the
appropriate level of security
under this section must take
into account the nature of the
personal information to be
protected, the risks
represented by the
processing, the size of the
organization and complexity
of its operations, current data
privacy best practices and the
cost of security
implementation. Subject to
guidelines as the Commission
may issue from time to time,
the measures implemented
must include:
1) Safeguards to protect its computer
network against accidental. Unlawful
or unauthorized usage or interference
with or hindering of their functioning
or availability;
2) A security policy with respect to the
processing of personal information;
3) A process for identifying and
accessing reasonably foreseeable
vulnerabilities in its computer
networks, and for taking
4) Regular monitoring for security
breaches and a process for taking
preventive, corrective and mitigating
action against security incidents that
can lead to a security breach

(d) The personal information

controller must further ensure
that third parties processing
personal information on its
behalf shall implement the
security measures required by
this provision.
(e) The employees, agents or
representatives of a personal
information controller who
are involved in the processing
of personal information under
strict confidentiality if the
personal information are not
intended for public
disclosure. This obligation
shall continue even after
leaving the public service,
transfer to another position or
upon termination of
employment or contractual
relations.
(f) The personal information
controller shall promptly
notify the Commission and
affected data subjects when
sensitive personal