Scribd
Upload
12 views16 pages

Lecture Notes-Data Privacy Act

The Data Privacy Act aims to protect the right to privacy and ensure the secure processing of personal information in the Philippines. It establishes the National Privacy Commission to oversee compliance with data protection standards and outlines the roles of the Privacy Commissioner and Deputy Privacy Commissioners. The Act applies to all personal data processing by entities in the government and private sectors, emphasizing principles of transparency, legitimate purpose, and proportionality in data handling.

Uploaded by

armyexol247
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views16 pages

Lecture Notes-Data Privacy Act

The Data Privacy Act aims to protect the right to privacy and ensure the secure processing of personal information in the Philippines. It establishes the National Privacy Commission to oversee compliance with data protection standards and outlines the roles of the Privacy Commissioner and Deputy Privacy Commissioners. The Act applies to all personal data processing by entities in the government and private sectors, emphasizing principles of transparency, legitimate purpose, and proportionality in data handling.

Uploaded by

armyexol247
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

FAR EASTERN UNIVERSITY

Institute of Accounts, Business and Finance


2nd Semester, Academic Year 2023-2024

DATA PRIVACY ACT R.J.C. Salazar

STATE POLICY AND THE NATIONAL PRIVACY COMMISSION

It is the policy of the State to protect the 1. at least 35 years of age


fundamental human right of privacy, of 2. of good moral character,
communication while ensuring free flow of unquestionable integrity and known
information to promote innovation and probity, and
growth. The State recognizes the vital role of 3. a recognized expert in the field of
information and communications technology in information technology and data
nation-building and its inherent obligation to privacy.
ensure that personal information in information
and communications systems in the government The Privacy Commissioner shall enjoy the
and in the private sector are secured and benefits, privileges, and emoluments equivalent
protected. to the rank of Secretary.

The National Privacy Commission Deputy Privacy Commissioners


(“Commission”) is the body that monitors and The Privacy Commissioner shall be assisted by
ensures compliance of the country with two Deputy Privacy Commissioners. One shall be
international standards set for data protection. responsible for Data Processing Systems, while
The Commission has the following functions: the other shall be responsible for Policies and
1. Rule making Planning. The Deputy Privacy Commissioners
2. Advisory must be recognized experts in the field of
3. Public education information and communications technology
4. Compliance and monitoring functions and data privacy.
5. Adjudicate on complaints and
investigations The Deputy Privacy Commissioners must be
6. Enforcement functions recognized experts in the field of information and
communications technology and data privacy.
Privacy Commissioner They shall enjoy the benefits, privileges, and
The Commission shall be headed by a Privacy emoluments equivalent to the rank of
Commissioner, who shall act as Chairman of the Undersecretary.
Commission. The Privacy Commissioner must
be:

SCOPE AND APPLICATION

What is right to privacy Philippines, or those who maintain an o]ice,


It is the right to be let alone – the most branch or agency in the Philippines.
comprehensive of rights and the right most
valued by civilized men (Justice Brandeis's In short, the DPA applies to the processing of
dissent in Olmstead v. U. S. (1928)). personal data by any natural or juridical person in
the government or private sector.
When DPA is applicable
This Data Privacy Act applies to the processing of What is personal data
all types of personal information and to any It refers to all types of personal information.
natural and juridical person involved in personal
information processing including those personal Personal information refers to:
information controllers and processors who, 1. Any information, whether recorded in a
although not found or established in the material form or not, from which the
Philippines, use equipment that are in the identity of an individual is apparent or

Page 1 of 16
can be reasonably and directly a. The fact that the individual is or was
ascertained by the entity holding the an o]icer or employee of the
information government institution;
2. Any information that when put together b. The title, business address and
with other information would directly o]ice telephone number of the
and certainly identify an individual individual;
3. Individual’s race, ethnic origin, marital c. The classification, salary range and
status, age, color, and religious, responsibilities of the position held
philosophical or political a]iliations by the individual; and
4. Individual’s health, education, genetic d. The name of the individual on a
or sexual life of a person, or to any document prepared by the
proceeding for any o]ense committed or individual in the course of
alleged to have been committed by such employment with the government;
individual, the disposal of such
proceedings, or the sentence of any 2. Information about an individual who is or
court in such proceedings was performing service under contract for a
5. Social security numbers, previous or government institution that relates to the
current health records, licenses or its services performed, including the terms of
denials, suspension or revocation, and the contract, and the name of the individual
tax returns given in the course of the performance of
6. Classified or privileged information those services;

Persons who process personal data 3. Information relating to any discretionary


1. Personal information controller benefit of a financial nature such as the
Refers to a natural or juridical person, or any granting of a license or permit given by the
other body who controls the processing of government to an individual, including the
personal data, or instructs another to name of the individual and the exact nature
process personal data on its behalf. of the benefit;

The term excludes: 4. Personal information processed for


1. A natural or juridical person, or any other journalistic, artistic, literary or research
body, who performs such functions as purposes;
instructed by another person or
organization; or 5. Information necessary in order to carry out
2. A natural person who processes the functions of public authority which
personal data in connection with his or includes the processing of personal data for
her personal, family, or household the performance by the independent, central
a]airs; monetary authority and law enforcement
and regulatory agencies of their
There is control if the natural or juridical constitutionally and statutorily mandated
person or any other body decides on what functions. Nothing in the DPA shall be
information is collected, or the purpose or construed as to have amended or repealed
extent of its processing. Republic Act No. 1405, otherwise known as
the Secrecy of Bank Deposits Act; Republic
2. Personal information processor Act No. 6426, otherwise known as the
Refers to any natural or juridical person or Foreign Currency Deposit Act; and Republic
any other body to whom a personal Act No. 9510, otherwise known as the Credit
information controller may outsource or Information System Act (CISA);
instruct the processing of personal data
pertaining to a data subject. 6. Information necessary for banks and other
financial institutions under the jurisdiction of
When DPA is not applicable the independent, central monetary authority
1. Information about any individual who is or or Bangko Sentral ng Pilipinas to comply with
was an o]icer or employee of a government Republic Act No. 9510, and Republic Act No.
institution that relates to the position or 9160, as amended, otherwise known as the
functions of the individual, including: Anti-Money Laundering Act and other
applicable laws; and

Page 2 of 16
7. Personal information originally collected 2. The entity has a link with the Philippines, and
from residents of foreign jurisdictions in the entity is processing personal information
accordance with the laws of those foreign in the Philippines or even if the processing is
jurisdictions, including any applicable data outside the Philippines as long as it is about
privacy laws, which is being processed in the Philippine citizens or residents such as, but
Philippines. not limited to, the following:
a. A contract is entered in the
Protection to journalists and their sources Philippines;
The DPA did not amend or repeal the provisions b. A juridical entity unincorporated in
of Republic Act No. 53, which a]ords the the Philippines but has central
publishers, editors or duly accredited reporters management and control in the
of any newspaper, magazine, or periodical of country; and
general circulation protection from being c. An entity that has a branch, agency,
compelled to reveal the source of any news o]ice or subsidiary in the
report or information appearing in said Philippines and the parent or
publication which was related in any confidence a]iliate of the Philippine entity has
to such publisher, editor, or reporter. access to personal information; and

Extraterritorial application of DPA 3. The entity has other links in the Philippines
The DPA applies to an act done or practice such as, but not limited to:
engaged in and outside of the Philippines by an a. The entity carries on business in the
entity if: Philippines; and
b. The personal information was
1. The act, practice or processing relates to collected or held by an entity in the
personal information about a Philippine Philippines.
citizen or a resident;

DATA PRIVACY PRINCIPLES

The processing of personal data shall be allowed, purpose which must not be contrary to law,
subject to compliance with the requirements of morals, or public policy.
the DPA and other laws allowing disclosure of
information to the public, and adherence to the c. Proportionality
principles of transparency, legitimate purpose, The processing of information shall be
and proportionality. adequate, relevant, suitable, necessary, and
not excessive in relation to a declared and
Principles of transparency, legitimate specified purpose. Personal data shall be
purpose, and proportionality processed only if the purpose of the
processing could not reasonably be fulfilled
a. Transparency by other means.
The data subject must be aware of the
nature, purpose, and extent of the General principles in collection, processing,
processing of his or her personal data, and retention
including the risks and safeguards involved, The processing of personal data shall adhere to
the identity of personal information the following general principles in the collection,
controller, his or her rights as a data subject, processing, and retention of personal data:
and how these can be exercised. Any
information and communication relating to 1. Collection must be for a declared,
the processing of personal data should be specified, and legitimate purpose.
easy to access and understand, using clear a. Consent is required prior to the
and plain language. collection and processing of personal
data, subject to exemptions provided by
b. Legitimate purpose the Act and other applicable laws and
The processing of information shall be regulations. When consent is required, it
compatible with a declared and specified must be time-bound in relation to the

Page 3 of 16
declared, specified, and legitimate a. Retention of personal data shall only for
purpose. Consent given may be as long as necessary:
withdrawn. i. for the fulfillment of the declared,
b. The data subject must be provided specified, and legitimate purpose, or
specific information regarding the when the processing relevant to the
purpose and extent of processing, purpose has been terminated;
including, where applicable, the ii. for the establishment, exercise or
automated processing of his or her defense of legal claims; or
personal data for profiling, or processing iii. for legitimate business purposes,
for direct marketing, and data sharing. which must be consistent with
c. Purpose should be determined and standards followed by the applicable
declared before, or as soon as industry or approved by appropriate
reasonably practicable, after collection. government agency.
d. Only personal data that is necessary and
compatible with declared, specified, b. Retention of personal data shall be
and legitimate purpose shall be allowed in cases provided by law.
collected.
c. Personal data shall be disposed or
2. Personal data shall be processed fairly discarded in a secure manner that would
and lawfully. prevent further processing,
a. Processing shall uphold the rights of the unauthorized access, or disclosure to
data subject, including the right to any other party or the public, or
refuse, withdraw consent, or object. It prejudice the interests of the data
shall likewise be transparent, and allow subjects.
the data subject su]icient information to
know the nature and extent of 5. Any authorized further processing shall
processing. have adequate safeguards.
a. Personal data originally collected for a
b. Information provided to a data subject declared, specified, or legitimate
must always be in clear and plain purpose may be processed further for
language to ensure that they are easy to historical, statistical, or scientific
understand and access. purposes, and, in cases laid down in law,
may be stored for longer periods, subject
c. Processing must be in a manner to implementation of the appropriate
compatible with declared, specified, organizational, physical, and technical
and legitimate purpose. security measures required by the Act in
order to safeguard the rights and
d. Processed personal data should be freedoms of the data subject.
adequate, relevant, and limited to what
is necessary in relation to the purposes b. Personal data which is aggregated or
for which they are processed. kept in a form which does not permit
identification of data subjects may be
e. Processing shall be undertaken in a kept longer than necessary for the
manner that ensures appropriate privacy declared, specified, and legitimate
and security safeguards. purpose.

3. Processing should ensure data quality c. Personal data shall not be retained in
a. Personal data should be accurate and perpetuity in contemplation of a
where necessary for declared, specified possible future use yet to be determined.
and legitimate purpose, kept up to date.
b. Inaccurate or incomplete data must be General Principles for Data Sharing
rectified, supplemented, destroyed or Further processing of personal data collected
their further processing restricted. from a party other than the Data Subject shall be
allowed under any of the following conditions:
4. Personal Data shall not be retained longer
than necessary 1. Data sharing shall be allowed when it is
expressly authorized by law: Provided, that

Page 4 of 16
there are adequate safeguards for data access and correction, and the right
privacy and security, and processing adheres to object;
to principle of transparency, legitimate vi. Other information that would
purpose and proportionality. su]iciently notify the data subject of
the nature and extent of data sharing
2. Data Sharing shall be allowed in the private and the manner of processing.
sector if the data subject consents to data
sharing, and the following conditions are d. Further processing of shared data shall
complied with: adhere to the data privacy principles laid
a. Consent for data sharing shall be down in the DPA, its implementing rules,
required even when the data is to be and other issuances of the Commission.
shared with an a]iliate or mother
company, or similar relationships; 3. Data collected from parties other than the
data subject for purpose of research shall be
b. Data sharing for commercial purposes, allowed when (1) the personal data is
including direct marketing, shall be publicly available, or (2) has the consent of
covered by a data sharing agreement. the data subject for purpose of research:
i. The data sharing agreement shall Provided, that adequate safeguards are in
establish adequate safeguards for place, and no decision directly a]ecting the
data privacy and security, and uphold data subject shall be made on the basis of
rights of data subjects. the data collected or processed. The rights of
ii. The data sharing agreement shall be the data subject shall be upheld without
subject to review by the Commission, compromising research integrity.
on its own initiative or upon
complaint of data subject; 4. Data sharing between government agencies
for the purpose of a public function or
c. The data subject shall be provided with provision of a public service shall be covered
the following information prior to a data sharing agreement.
collection or before data is shared: a. Any or all government agencies
i. Identity of the personal information party to the agreement shall comply
controllers or personal information with the Act, these Rules, and all
processors that will be given access other issuances of the Commission,
to the personal data; including putting in place adequate
ii. Purpose of data sharing; safeguards for data privacy and
iii. Categories of personal data security.
concerned;
iv. Intended recipients or categories of b. The data sharing agreement shall be
recipients of the personal data; subject to review of the
v. Existence of the rights of data Commission, on its own initiative or
subjects, including the right to upon complaint of data subject.

DATA PROCESSING

Criteria for lawful processing of personal steps at the request of the data subject prior
information to entering the said agreement;
For processing to be lawful, any of the following
conditions must be complied with: 3. The processing is necessary for compliance
with a legal obligation to which the personal
1. The data subject must have given his or her information controller is subject;
consent prior to the collection, or as soon as
practicable and reasonable; 4. The processing is necessary to protect vitally
important interests of the data subject,
2. The processing involves the personal including his or her life and health;
information of a data subject who is a party
to a contractual agreement, in order to fulfill 5. The processing of personal information is
obligations under the contract or to take necessary to respond to national emergency

Page 5 of 16
or to comply with the requirements of public c. Consent of the data subject was
order and safety, as prescribed by law; obtained prior to processing;

6. The processing of personal information is 5. The processing is necessary for the


necessary for the fulfillment of the purpose of medical treatment: Provided,
constitutional or statutory mandate of a that it is carried out by a medical
public authority; or practitioner or a medical treatment
institution, and an adequate level of
7. The processing is necessary to pursue the protection of personal data is ensured;
legitimate interests of the personal or
information controller, or by a third party or
parties to whom the data is disclosed, except 6. The processing concerns sensitive
where such interests are overridden by personal information or privileged
fundamental rights and freedoms of the data information necessary for the protection
subject, which require protection under the of lawful rights and interests of natural or
Philippine Constitution. legal persons in court proceedings, or
the establishment, exercise, or defense
Sensitive personal information and privileged of legal claims, or when provided to
information government or public authority pursuant
The processing of sensitive personal and to a constitutional or statutory mandate.
privileged information is prohibited, except in any
of the following cases: Extension of privileged communication
Personal information controllers may invoke the
1. Consent is given by data subject, or by the principle of privileged communication over
parties to the exchange of privileged privileged information that they lawfully control
information, prior to the processing of the or process. Subject to existing laws and
sensitive personal information or privileged regulations, any evidence gathered from
information, which shall be undertaken privileged information is inadmissible.
pursuant to a declared, specified, and
legitimate purpose; When the Commission inquires upon
communication claimed to be privileged, the
2. The processing of the sensitive personal personal information controller concerned shall
information or privileged information is prove the nature of the communication in an
provided for by existing laws and regulations: executive session. Should the communication be
Provided, that said laws and regulations do determined as privileged, it shall be excluded
not require the consent of the data subject from evidence, and the contents thereof shall not
for the processing, and guarantee the form part of the records of the case: Provided,
protection of personal data; that where the privileged communication itself is
the subject of a breach, or a privacy concern or
3. The processing is necessary to protect the investigation, it may be disclosed to the
life and health of the data subject or another Commission but only to the extent necessary for
person, and the data subject is not legally or the purpose of investigation, without including
physically able to express his or her consent the contents thereof in the records.
prior to the processing;
Surveillance of suspects and interception of
4. The processing is necessary to achieve the recording of communications
lawful and noncommercial objectives of The processing of personal data for the purpose
public organizations and their associations of surveillance, interception, or recording of
provided that: communications shall comply with the Data
a. Processing is confined and related to the Privacy Act, including adherence to the
bona fide members of these principles of transparency, proportionality, and
organizations or their associations; legitimate purpose.
b. The sensitive personal information are
not transferred to third parties; and

Page 6 of 16
SECURITY MEASURES FOR PROTECTION OF PERSONAL DATA

Data Privacy and Security a. The policies shall implement data


Personal information controllers and personal protection principles both at the
information processors shall implement time of the determination of the
reasonable and appropriate organizational, means for processing and at the
physical, and technical security measures for the time of the processing itself.
protection of personal data. b. The policies shall implement
appropriate security measures that,
The personal information controller and personal by default, ensure only personal
information processor shall take steps to ensure data which is necessary for the
that any natural person acting under their specified purpose of the processing
authority and who has access to personal data, are processed. They shall determine
does not process them except upon their the amount of personal data
instructions, or as required by law. collected, including the extent of
processing involved, the period of
The security measures shall aim to maintain the their storage, and their accessibility.
availability, integrity, and confidentiality of c. The polices shall provide for
personal data and are intended for the protection documentation, regular review,
of personal data against any accidental or evaluation, and updating of the
unlawful destruction, alteration, and disclosure, privacy and security policies and
as well as against any other unlawful processing. practices.
These measures shall be implemented to protect
personal data against natural dangers such as 3. Records of Processing Activities
accidental loss or destruction, and human Any natural or juridical person or other body
dangers such as unlawful access, fraudulent involved in the processing of personal data
misuse, unlawful destruction, alteration and shall maintain records that su]iciently
contamination. describe its data processing system, and
identify the duties and responsibilities of
Organizational security measures those individuals who will have access to
Where appropriate, personal information personal data. Records should include:
controllers and personal information processors a. Information about the purpose of
shall comply with the following guidelines for the processing of personal data,
organizational security: including any intended future
processing or data sharing;
1. Compliance OOicers b. A description of all categories of
Any natural or juridical person or other body data subjects, personal data, and
involved in the processing of personal data recipients of such personal data
shall designate an individual or individuals that will be involved in the
who shall function as data protection o]icer, processing;
compliance o]icer or otherwise be c. General information about the data
accountable for ensuring compliance with flow within the organization, from
applicable laws and regulations for the the time of collection, processing,
protection of data privacy and security. and retention, including the time
limits for disposal or erasure of
2. Data Protection Policies personal data;
Any natural or juridical person or other body d. A general description of the
involved in the processing of personal data organizational, physical, and
shall implement appropriate data protection technical security measures in
policies that provide for organization, place;
physical, and technical security measures, e. The name and contact details of the
and, for such purpose, take into account the personal information controller and,
nature, scope, context and purposes of the where applicable, the joint
processing, as well as the risks posed to the controller, the its representative,
rights and freedoms of data subjects. and the compliance o]icer or Data
Protection O]icer, or any other

Page 7 of 16
individual or individuals implement the security measures required
accountable for ensuring by the Act and these Rules. It shall only
compliance with the applicable engage those personal information
laws and regulations for the processors that provide su]icient
protection of data privacy and guarantees to implement appropriate
security. security measures specified in the Act and
these Rules, and ensure the protection of the
4. Management of Human Resources rights of the data subject.
Any natural or juridical person or other entity
involved in the processing of personal data Physical Security Measures
shall be responsible for selecting and Where appropriate, personal information
supervising its employees, agents, or controllers and personal information processors
representatives, particularly those who will shall comply with the following guidelines for
have access to personal data. physical security:

The said employees, agents, or 1. Policies and procedures shall be


representatives shall operate and hold implemented to monitor and limit access to
personal data under strict confidentiality if and activities in the room, workstation or
the personal data are not intended for public facility, including guidelines that specify the
disclosure. This obligation shall continue proper use of and access to electronic
even after leaving the public service, media;
transferring to another position, or upon
terminating their employment or contractual 2. Design of o]ice space and work stations,
relations. There shall be capacity building, including the physical arrangement of
orientation or training programs for such furniture and equipment, shall provide
employees, agents or representatives, privacy to anyone processing personal data,
regarding privacy or security policies. taking into consideration the environment
and accessibility to the public;
5. Processing of Personal Data
Any natural or juridical person or other body 3. The duties, responsibilities and schedule of
involved in the processing of personal data individuals involved in the processing of
shall develop, implement and review: personal data shall be clearly defined to
a. A procedure for the collection of ensure that only the individuals actually
personal data, including procedures performing o]icial duties shall be in the
for obtaining consent, when room or work station, at any given time;
applicable;
b. Procedures that limit the processing 4. Any natural or juridical person or other body
of data, to ensure that it is only to the involved in the processing of personal data
extent necessary for the declared, shall implement Policies and procedures
specified, and legitimate purpose; regarding the transfer, removal, disposal,
c. Policies for access management, and re-use of electronic media, to ensure
system monitoring, and protocols to appropriate protection of personal data;
follow during security incidents or
technical problems; 5. Policies and procedures that prevent the
d. Policies and procedures for data mechanical destruction of files and
subjects to exercise their rights equipment shall be established. The room
under the Act; and workstation used in the processing of
e. Data retention schedule, including personal data shall, as far as practicable, be
timeline or conditions for erasure or secured against natural disasters, power
disposal of records. disturbances, external access, and other
similar threats.
6. Contracts with Personal Information
Processors Guidelines for Technical Security Measures
The personal information controller, through Where appropriate, personal information
appropriate contractual agreements, shall controllers and personal information processors
ensure that its personal information shall adopt and establish the following technical
processors, where applicable, shall also security measures:

Page 8 of 16
updated as necessary by the Commission in
1. A security policy with respect to the separate issuances, taking into account the most
processing of personal data; appropriate standard recognized by the
information and communications technology
2. Safeguards to protect their computer industry and data privacy best practices.
network against accidental, unlawful or
unauthorized usage, any interference which Security of Sensitive Personal Information in
will a]ect data integrity or hinder the Government
functioning or availability of the system, and
unauthorized access through an electronic 1. Responsibility of Heads of Agencies
network;
All sensitive personal information
3. The ability to ensure and maintain the maintained by the government, its agencies,
confidentiality, integrity, availability, and and instrumentalities shall be secured, as
resilience of their processing systems and far as practicable, with the use of the most
services; appropriate standard recognized by the
information and communications
4. Regular monitoring for security breaches, technology industry, subject to these Rules
and a process both for identifying and and other issuances of the Commission. The
accessing reasonably foreseeable head of each government agency or
vulnerabilities in their computer networks, instrumentality shall be responsible for
and for taking preventive, corrective, and complying with the security requirements
mitigating action against security incidents mentioned herein. The Commission shall
that can lead to a personal data breach; monitor government agency compliance and
may recommend the necessary action in
5. The ability to restore the availability and order to satisfy the minimum standards.
access to personal data in a timely manner
in the event of a physical or technical 2. Requirements Relating to Access by
incident; Agency Personnel to Sensitive Personal
Information
6. A process for regularly testing, assessing,
and evaluating the e]ectiveness of security a. On-site and Online Access.
measures;
1. No employee of the government shall
7. Encryption of personal data during storage have access to sensitive personal
and while in transit, authentication process, information on government property or
and other technical security measures that through online facilities unless he or she
control and limit access. the employee has received a security
clearance from the head of the source
Appropriate Level of Security agency. The source agency is the
The Commission shall monitor the compliance government agency who originally
of natural or juridical person or other body collected the personal data.
involved in the processing of personal data, 2. A source agency shall strictly regulate
specifically their security measures, with the access to sensitive personal information
guidelines provided in these Rules and under its custody or control, particularly
subsequent issuances of the Commission. In when it allows online access. An
determining the level of security appropriate for a employee of the government shall only
particular personal information controller or be granted a security clearance when
personal information processor, the the performance of his or her o]icial
Commission shall take into account the nature of functions or the provision of a public
the personal data that requires protection, the service directly depends on and cannot
risks posed by the processing, the size of the otherwise be performed unless access
organization and complexity of its operations, to the personal data is allowed.
current data privacy best practices, and the cost 3. Where allowed under the next preceding
of security implementation. The security sections, online access to sensitive
measures provided herein shall be subject to personal information shall be subject to
regular review and evaluation, and may be the following conditions:

Page 9 of 16
(a) Deadline for Approval or
(a) An information technology Disapproval
governance framework has been The head of agency shall
designed and implemented; approve or disapprove the
request within two business
(b) Su]icient organizational, physical days after the date of
and technical security measures submission of the request.
have been established; Where no action is taken by the
head of agency, the request is
(c) The agency is capable of protecting considered disapproved;
sensitive personal information in (b) Limitation to 1,000 Records
accordance with data privacy Where a request is approved,
practices and standards recognized the head of agency shall limit
by the information and the access to not more than
communication technology 1,000 records at a time, subject
industry; to the next succeeding
paragraph.
(d) The employee of the government is (c) Encryption
only given online access to sensitive Any technology used to store,
personal information necessary for transport or access sensitive
the performance of o]icial personal information for
functions or the provision of a public purposes of o]-site access
service. approved under this subsection
shall be secured by the use of
b. O]-site access. the most secure encryption
standard recognized by the
1. Sensitive personal information Commission.
maintained by an agency may not be
transported or accessed from a 3. Applicability to Government
location o] or outside of Contractors
government property, whether by its
agent or employee, unless the head In entering into any contract with a
of agency has ensured the private service provider that may involve
implementation of privacy policies accessing or requiring sensitive
and appropriate security measures. personal information from one thousand
A request for such transportation or 1,000 or more individuals, a government
access shall be submitted to and agency shall require such service
approved by the head of agency. The provider and its employees to register
request must include proper their personal data processing system
accountability mechanisms in the with the Commission in accordance
processing of data. with the DPA and its rules.
2. The head of agency shall approve
requests for o]-site access in The service provider, as personal
accordance with the following information processor, shall comply
guidelines: with the other provisions of the DPA and
its rules.

RIGHTS OF DATA SUBJECT

Right to be informed The data subject shall be notified and furnished


The data subject has a right to be informed with the following information before the entry of
whether personal data pertaining to him or her his or her personal data into the processing
shall be, are being, or have been processed, system of the personal information controller, or
including the existence of automated decision- at the next practical opportunity:
making and profiling.

Page 10 of 16
1. Description of the personal data to be an employer-employee relationship
entered into the system; between the collector and the data
2. Purposes for which they are being or will subject; or
be processed, including processing for 3. The information is being collected and
direct marketing, profiling or historical, processed as a result of a legal
statistical or scientific purpose; obligation.
3. Basis of processing, when processing is
not based on the consent of the data Right to access
subject; The data subject has the right to reasonable
4. Scope and method of the personal data access to, upon demand, the following:
processing; 1. Contents of his or her personal data that
5. The recipients or classes of recipients to were processed;
whom the personal data are or may be 2. Sources from which personal data were
disclosed; obtained;
6. Methods utilized for automated access, 3. Names and addresses of recipients of
if the same is allowed by the data the personal data;
subject, and the extent to which such 4. Manner by which such data were
access is authorized, including processed;
meaningful information about the logic 5. Reasons for the disclosure of the
involved, as well as the significance and personal data to recipients, if any;
the envisaged consequences of such 6. Information on automated processes
processing for the data subject; where the data will, or is likely to, be
7. The identity and contact details of the made as the sole basis for any decision
personal data controller or its that significantly a]ects or will a]ect the
representative; data subject;
8. The period for which the information will 7. Date when his or her personal data
be stored; and concerning the data subject were last
9. The existence of their rights as data accessed and modified; and
subjects, including the right to access, 8. The designation, name or identity, and
correction, and object to the processing, address of the personal information
as well as the right to lodge a complaint controller.
before the Commission.
Right to rectification
Right to object The data subject has the right to dispute the
The data subject shall have the right to object to inaccuracy or error in the personal data and have
the processing of his or her personal data, the personal information controller correct it
including processing for direct marketing, immediately and accordingly, unless the request
automated processing or profiling. The data is vexatious or otherwise unreasonable. If the
subject shall also be notified and given an personal data has been corrected, the personal
opportunity to withhold consent to the information controller shall ensure the
processing in case of changes or any accessibility of both the new and the retracted
amendment to the information supplied or information and the simultaneous receipt of the
declared to the data subject in the preceding new and the retracted information by the
paragraph. intended recipients thereof: Provided, That
recipients or third parties who have previously
Exception on the right to object: When a data received such processed personal data shall be
subject objects or withholds consent, the informed of its inaccuracy and its rectification,
personal information controller shall no longer upon reasonable request of the data subject.
process the personal data, unless:
1. The personal data is needed pursuant to Right to erasure or blocking
a subpoena; The data subject shall have the right to suspend,
2. The collection and processing are for withdraw or order the blocking, removal or
obvious purposes, including, when it is destruction of his or her personal data from the
necessary for the performance of or in personal information controller’s filing system.
relation to a contract or service to which
the data subject is a party, or when This right may be exercised upon discovery and
necessary or desirable in the context of substantial proof of any of the following:

Page 11 of 16
a. The personal data is incomplete, outdated, have the right to obtain from the personal
false, or unlawfully obtained; information controller a copy of such data in an
b. The personal data is being used for purpose electronic or structured format that is commonly
not authorized by the data subject; used and allows for further use by the data
c. The personal data is no longer necessary for subject.
the purposes for which they were collected;
d. The data subject withdraws consent or The exercise of this right shall primarily take into
objects to the processing, and there is no account the right of data subject to have control
other legal ground or overriding legitimate over his or her personal data being processed
interest for the processing; based on consent or contract, for commercial
e. The personal data concerns private purpose, or through automated means.
information that is prejudicial to data
subject, unless justified by freedom of The Commission may specify the electronic
speech, of expression, or of the press or format referred to above, as well as the technical
otherwise authorized; standards, modalities, procedures and other
f. The processing is unlawful; rules for their transfer.
g. The personal information controller or
personal information processor violated the Limitations on Rights
rights of the data subject.
1. Scientific and statistical research
The personal information controller may notify
third parties who have previously received such The data privacy subject rights are not
processed personal information. applicable if the processed personal data
are used only for the needs of scientific and
Right to damages statistical research and, on the basis of
The data subject shall be indemnified for any such, no activities are carried out and no
damages sustained due to such inaccurate, decisions are taken regarding the data
incomplete, outdated, false, unlawfully obtained subject: Provided, that the personal data
or unauthorized use of personal data, taking into shall be held under strict confidentiality and
account any violation of his or her rights and shall be used only for the declared purpose.
freedoms as data subject.
2. Investigations relating to criminal,
Transmissibility of rights of the data subject administrative, or tax liabilities
The lawful heirs and assigns of the data subject
may invoke the rights of the data subject to which The rights are also not applicable to the
he or she is an heir or an assignee, at any time processing of personal data gathered for the
after the death of the data subject, or when the purpose of investigations in relation to any
data subject is incapacitated or incapable of criminal, administrative or tax liabilities of a
exercising the rights as enumerated above. data subject.

Right to Data Portability Any limitations on the rights of the data subject
Where his or her personal data is processed by shall only be to the minimum extent necessary to
electronic means and in a structured and achieve the purpose of said research or
commonly used format, the data subject shall investigation.

DATA BREACH

Data Breach Notification b. Notification of personal data breach shall be


a. The Commission and a]ected data subjects required when sensitive personal
shall be notified by the personal information information or any other information that
controller within 72 hours upon knowledge may, under the circumstances, be used to
of, or when there is reasonable belief by the enable identity fraud are reasonably believed
personal information controller or personal to have been acquired by an unauthorized
information processor that, a personal data person, and the personal information
breach requiring notification has occurred. controller or the Commission believes that
such unauthorized acquisition is likely to

Page 12 of 16
give rise to a real risk of serious harm to any controller with this section and existence of
a]ected data subject. good faith in the acquisition of personal data.

c. Depending on the nature of the incident, or if 2. The Commission may exempt a personal
there is delay or failure to notify, the information controller from notification
Commission may investigate the where, in its reasonable judgment, such
circumstances surrounding the personal notification would not be in the public
data breach. Investigations may include on- interest, or in the interest of the a]ected data
site examination of systems and procedures. subjects.

Contents of Notification 3. The Commission may authorize


The notification shall describe the: postponement of notification where it may
1. nature of the breach, hinder the progress of a criminal
2. personal data possibly involved, and investigation related to a serious breach.
3. measures taken by the entity to address
the breach. Breach report
The personal information controller shall notify
The notification shall also include: the Commission by submitting a report, whether
4. the measures taken to reduce the harm written or electronic, containing the required
or negative consequences of the breach, contents of notification. The report shall also
5. the representatives of the personal include the name of a designated representative
information controller, including their of the personal information controller, and his or
contact details, from whom the data her contact details.
subject can obtain additional
information about the breach, and All security incidents and personal data
6. any assistance to be provided to the breaches shall be documented through written
a]ected data subjects. reports, including those not covered by the
notification requirements. In the case of
Delay of notification, when allowed personal data breaches, a report shall include
Notification may be delayed only: the facts surrounding an incident, the e]ects of
a. to the extent necessary to determine the such incident, and the remedial actions taken by
scope of the breach, the personal information controller. In other
b. to prevent further disclosures, or security incidents not involving personal data, a
c. to restore reasonable integrity to the report containing aggregated data shall
information and communications system. constitute su]icient documentation. These
reports shall be made available when requested
1. In evaluating if notification is unwarranted, by the Commission. A general summary of the
the Commission may take into account reports shall be submitted to the Commission
compliance by the personal information annually.

OUTSOURCING AND SUBCONTRACTING AGREEMENTS

Subcontract of Personal Data


A personal information controller may Agreements for Outsourcing
subcontract or outsource the processing of Processing by a personal information processor
personal data: Provided, that the personal shall be governed by a contract or other legal act
information controller shall use contractual or that binds the personal information processor to
other reasonable means to ensure that proper the personal information controller.
safeguards are in place, to ensure the
confidentiality, integrity and availability of the a. The contract or legal act shall set out the
personal data processed, prevent its use for subject-matter and duration of the
unauthorized purposes, and generally, comply processing, the nature and purpose of
with the requirements of the DPA and its the processing, the type of personal data
implementing rules and other applicable laws for and categories of data subjects, the
processing of personal data, and other issuances obligations and rights of the personal
of the Commission. information controller, and the

Page 13 of 16
geographic location of the processing with the DPA and its implementing
under the subcontracting agreement. rules, other relevant laws, and other
issuances of the Commission,
b. The contract or other legal act shall taking into account the nature of
stipulate, in particular, that the personal processing and the information
information processor shall: available to the personal
information processor;
1. Process the personal data only upon
the documented instructions of the 7. At the choice of the personal
personal information controller, information controller, delete or
including transfers of personal data return all personal data to the
to another country or an personal information controller
international organization, unless after the end of the provision of
such transfer is authorized by law; services relating to the processing:
Provided, that this includes deleting
2. Ensure that an obligation of existing copies unless storage is
confidentiality is imposed on authorized by the DPA or another
persons authorized to process the law;
personal data;
8. Make available to the personal
3. Implement appropriate security information controller all
measures and comply with the DPA information necessary to
and its implementing rules, and demonstrate compliance with the
other issuances of the Commission; obligations laid down in the DPA,
and allow for and contribute to
4. Not engage another processor audits, including inspections,
without prior instruction from the conducted by the personal
personal information controller: information controller or another
Provided, that any such auditor mandated by the latter;
arrangement shall ensure that the
same obligations for data protection 9. Immediately inform the personal
under the contract or legal act are information controller if, in its
implemented, taking into account opinion, an instruction infringes the
the nature of the processing; DPA and its implementing rules, or
any other issuance of the
5. Assist the personal information Commission.
controller, by appropriate technical
and organizational measures and to Duty of personal information processor
the extent possible, fulfill the The personal information processor shall comply
obligation to respond to requests by with the requirements of the DPA and its
data subjects relative to the exercise implementing rules, other applicable laws, and
of their rights; other issuances of the Commission, in addition
to obligations provided in a contract, or other
6. Assist the personal information legal act with a personal information controller.
controller in ensuring compliance

REGISTRATION AND COMPLIANCE REQUIREMENTS

Enforcement of the Data Privacy Act a. Registration of personal data processing


Pursuant to the mandate of the Commission to systems operating in the country that
administer and implement the Act, and to ensure involves accessing or requiring sensitive
the compliance of personal information personal information of at least 1,000
controllers with its obligations under the law, the individuals, including the personal data
Commission requires the following: processing system of contractors, and their

Page 14 of 16
personnel, entering into contracts with
government agencies; b. The procedure for registration shall be in
b. Notification of automated processing accordance with these Rules and other
operations where the processing becomes issuances of the Commission.
the sole basis of making decisions that
would significantly a]ect the data subject; Notification of Automated Processing
c. Annual report of the summary of Operations
documented security incidents and The personal information controller carrying out
personal data breaches; any wholly or partly automated processing
d. Compliance with other requirements that operations or set of such operations intended to
may be provided in other issuances of the serve a single purpose or several related
Commission. purposes shall notify the Commission when the
automated processing becomes the sole basis
Registration of Personal Data Processing for making decisions about a data subject, and
Systems when the decision would significantly a]ect the
The personal information controller or personal data subject.
information processor that employs fewer than
250 persons shall not be required to register a. The notification shall include the following
unless the processing it carries out is likely to information:
pose a risk to the rights and freedoms of data
subjects, the processing is not occasional, or the 1. Purpose of processing;
processing includes sensitive personal 2. Categories of personal data to undergo
information of at least 1,000 individuals. processing;
3. Category or categories of data subject;
a. The contents of registration shall include: 4. Consent forms or manner of obtaining
consent;
1. The name and address of the personal 5. The recipients or categories of recipients
information controller or personal to whom the data are to be disclosed;
information processor, and of its 6. The length of time the data are to be
representative, if any, including their stored;
contact details; 7. Methods and logic utilized for
2. The purpose or purposes of the automated processing;
processing, and whether processing is 8. Decisions relating to the data subject
being done under an outsourcing or that would be made on the basis of
subcontracting agreement; processed data or that would
3. A description of the category or significantly a]ect the rights and
categories of data subjects, and of the freedoms of data subject; and
data or categories of data relating to 9. Names and contact details of the
them; compliance or data protection o]icer.
4. The recipients or categories of recipients
to whom the data might be disclosed; b. No decision with legal e]ects concerning a
5. Proposed transfers of personal data data subject shall be made solely on the
outside the Philippines; basis of automated processing without the
6. A general description of privacy and consent of the data subject.
security measures for data protection;
7. Brief description of the data processing Review by the Commission
system; The following are subject to the review of the
8. Copy of all policies relating to data Commission, upon its own initiative or upon the
governance, data privacy, and filing of a complaint by a data subject:
information security;
9. Attestation to all certifications attained a. Compliance by a personal information
that are related to information and controller or personal information
communications processing; and processor with the DPA and its
10. Name and contact details of the implementing rules, and other
compliance or data protection o]icer, issuances of the Commission;
which shall immediately be updated in b. Compliance by a personal information
case of changes. controller or personal information

Page 15 of 16
processor with the requirement of e. Processing of personal data for research
establishing adequate safeguards for purposes, public functions, or
data privacy and security; commercial activities;
c. Any data sharing agreement, f. Any reported violation of the rights and
outsourcing contract, and similar freedoms of data subjects;
contracts involving the processing of g. Other matters necessary to ensure the
personal data, and its implementation; e]ective implementation and
d. Any o]-site or online access to sensitive administration of the DPA and its
personal data in government allowed by implementing rules, and other
a head of agency; issuances of the Commission.

Page 16 of 16

You might also like