Summary: Philippines Data Privacy Act controller, except where overridden by the fundamental
and Implementing Regulations rights and freedoms of the data subject.
In 2012 the Philippines passed the Data Privacy Act
2012, comprehensive and strict privacy legislation “to protect
the fundamental human right of privacy, of communication
while ensuring free flow of information to promote
innovation and growth.” (Republic Act. No. 10173, Ch. 1, Sec.
2). This comprehensive privacy law also established a
National Privacy Commission that enforces and oversees it
and is endowed with rulemaking power. On September 9,
2016, the final implementing rules and regulations came into
force, adding specificity to the Privacy Act.
Scope and Application
The Data Privacy Act is broadly applicable to
individuals and legal entities that process personal
information, with some exceptions. The law has
extraterritorial application, applying not only to businesses
with offices in the Philippines, but when equipment based in
the Philippines is used for processing. The act further applies
to the processing of the personal information of Philippines
citizens regardless of where they reside.
One exception in the act provides that the law does not apply
to the processing of personal information in the Philippines
that was lawfully collected from residents of foreign
jurisdictions — an exception helpful for Philippines
companies that offer cloud services.
Approach
The Philippines law takes the approach that “The
processing of personal data shall be allowed subject to
adherence to the principles of transparency, legitimate
purpose, and proportionality.”
Collection, processing, and consent
The act states that the collection of personal data
“must be a declared, specified, and legitimate purpose” and
further provides that consent is required prior to the
collection of all personal data. It requires that when
obtaining consent, the data subject be informed about the
extent and purpose of processing, and it specifically mentions
the “automated processing of his or her personal data for
profiling, or processing for direct marketing, and data
sharing.” Consent is further required for sharing information
with affiliates or even mother companies.
Consent must be “freely given, specific, informed,”
and the definition further requires that consent to collection
and processing be evidenced by recorded means. However,
processing does not always require consent.
Consent is not required for processing where the
data subject is party to a contractual agreement, for
purposes of fulfilling that contract. The exceptions of
compliance with a legal obligation upon the data controller,
protection of the vital interests of the data subject, and
response to a national emergency are also available.
An exception to consent is allowed where processing
is necessary to pursue the legitimate interests of the data
Required agreements
The law requires that when sharing data, the sharing
be covered by an agreement that provides adequate
safeguards for the rights of data subjects, and that these
agreements are subject to review by the National Privacy
Commission.
Sensitive Personal and Privileged Information
The law defines sensitive personal information as being:
 About an individual’s race, ethnic origin, marital status,
age, color, and religious, philosophical or political
affiliations;
 About an individual’s health, education, genetic or
sexual life of a person, or to any proceeding or any
offense committed or alleged to have committed;
 Issued by government agencies “peculiar” (unique) to
an individual, such as social security number;
 Marked as classified by executive order or act of
Congress.
All processing of sensitive and personal information is
prohibited except in certain circumstances. The exceptions
are:
 Consent of the data subject;
 Pursuant to law that does not require consent;
 Necessity to protect life and health of a person;
 Necessity for medical treatment;
 Necessity to protect the lawful rights of data subjects in
court proceedings, legal proceedings, or regulation.
Surveillance
Interestingly, the Philippines law states that the
country’s Human Security Act of 2007 (a major anti-terrorism
law that enables surveillance) must comply with the Privacy
Act.
Privacy program required
The law requires that any entity involved in data
processing and subject to the act must develop, implement
and review procedures for the collection of personal data,
obtaining consent, limiting processing to defined purposes,
access management, providing recourse to data subjects, and
appropriate data retention policies. These requirements
necessitate the creation of a privacy program. Requirements
for technical security safeguards in the act also mandate that
an entity have a security program.
Data subjects' rights
The law enumerates rights that are familiar to
privacy professionals as related to the principles of notice,
choice, access, accuracy and integrity of data.
The Philippines law appears to contain a “right to be
forgotten” in the form of a right to erasure or blocking, where
the data subject may order the removal of his or her personal
data from the filing system of the data controller. Exercising
this right requires “substantial proof,” the burden of
producing which is placed on the data subject. This right is
expressly limited by the fact that continued publication may
be justified by constitutional rights to freedom of speech,
expression and other rights.
Notably, the law provides a private right of action for
damages for inaccurate, incomplete, outdated, false,
unlawfully obtained or unauthorized use of personal data.
It is unclear at present whether the commission
would allow a delay in notification of data subjects to allow
the commission to determine whether a notification is
unwarranted. By the law, this would appear to be a gamble.
Notification contents
The contents of the notification must at least:

A right to data portability is also provided.
Mandatory personal information breach notification
The law defines “security incident” and “personal
data breach” ensuring that the two are not confused. A
“security incident” is an event or occurrence that affects or
tends to affect data protection, or may compromise
availability, integrity or confidentiality. This definition
includes incidents that would result in a personal breach, if
not for safeguards that have been put in place.
A “personal data breach,” on the other hand, is a
subset of a security breach that actually leads to “accidental
or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data transmitted, stored,
or otherwise processed.
Requirement to notify
The law further provides that not all “personal data
breaches” require notification., which provides several bases
for not notifying data subjects or the data protection
authority. Section 38 of the IRRs provides the requirements
of breach notification:
 Describe the nature of the breach;
 The personal data possibly involved;
 The measures taken by the entity to address the breach;
 The measures take to reduce the harm or negative
consequence of the breach;
 The representatives of the personal information
controller, including their contact details;
 Any assistance to be provided to the affected data
subjects.
Penalties
The law provides separate penalties for various
violations, most of which also include imprisonment.
Separate counts exist for unauthorized processing,
processing for unauthorized purposes, negligent access,
improper disposal, unauthorized access or intentional breach,
concealment of breach involving sensitive personal
information, unauthorized disclosure, and malicious
disclosure.
Any combination or series of acts may cause the entity to be
subject to imprisonment ranging from three to six years as
well as a fine of approximately $20,000 to $100,000.
Notably, there is also the previously mentioned private right
of action for damages, which would apply.

 The breached information must be sensitive personal

information, or information that could be used for
Penalties for failure to notify
identity fraud, and
 There is a reasonable belief that unauthorized
acquisition has occurred, and Persons having knowledge of a security breach
 The risk to the data subject is real, and involving sensitive personal information and of the obligation
 The potential harm is serious. to notify the commission of same, and who fail to do so, may
be subject to penalty for concealment, including
imprisonment for 1 1/2 to five years of imprisonment, and a
The law provides that the Commission may
fine of approximately $10,000 - $20,000.
determine that notification to data subjects is unwarranted
after taking into account the entity’s compliance with the
Privacy Act, and whether the acquisition was in good faith. Depending upon the circumstances additional
violations might apply.
Notification timeline and recipients

The law places a concurrent obligation to notify the

National Privacy Commission as well as affected data subjects
within 72 hours of knowledge of, or reasonable belief by the
data controller of, a personal data breach that requires
notification.