R.A.

10173 or the
DATA PRIVACY ACT of 2012
R.A. 10173 or the(August 15, 2012)
DATA PRIVACY ACT of 2012
Implementing Rules and Regulations
(August 24, 2016)

COMPLIANCE & APPLICATION

APPLICATION & IMPLEMENTATION

Open Circle Privacy Group

Solis Medina Limpingco & Fajardo Law Offices
We collect information about your activity in our services, which we use to do things like
recommend a YouTube video you might like. The activity information we collect may include:

• Terms you search for

• Videos you watch
• Views and interactions with content and ads
• Voice and audio information when you use audio features
• Purchase activity
• People with whom you communicate or share content
• Activity on third-party sites and apps that use our services
• Chrome browsing history you’ve synced with your Google Account
• If you use our services to make and receive calls or send and receive messages, we may
collect telephony log information like your phone number, calling-party number,
receiving-party number, forwarding numbers, time and date of calls and messages,
duration of calls, routing information, and types of calls.

You can visit your Google Account to find and manage activity information that’s saved in
your account.

https://www.google.com.ph/policies/privacy/#infocollect
Worldwide: More than 80 countries have data protection laws.

• Europe:
 Right to data privacy is heavily regulated and actively
enforced.
 The EU's data protection laws have long been regarded as a
gold standard.
 Currently the General Data Protection Regulation (GDPR).

• United States:
 Health Insurance Portability and Accountability Act (HIPAA)
 Fair Credit Reporting Act (FCRA)
 Electronic Communications Privacy Act (ECPA)
 Various State Laws and Agency Regulations
• Sec. 2, R.A. 10173

• PROTECT INDIVIDUALS AND THEIR DATA by

adopting the generally accepted international
principles and standards for data protection

• REGULATE COLLECTION, USE AND STORAGE thereby R.A. 10173

safeguarding fundamental human right to privacy DATA
PRIVACY
while ensuring free flow of information.
ACT of 2012

• ENSURE IMPLEMENTATION OF DATA SECURITY to

secure and protect personal data information in
private and government sectors.
 Secs. 8 – 16
IRR, DPA 2012
The National Privacy Commission –
an independent body mandated to administer and implement the
Data Privacy Act of 2012, and to monitor and ensure compliance of
the country with international standards set for data protection.

• Promulgate, review or • Comment or report • Undertake efforts to

amend its rules and • Review, approve, reject inform the public of
regulations, and or require modification data privacy, protection
publish or issue of privacy codes by and fair information
administrative controllers rights and
issuances responsibilities

Public
Rule Making Advisory
Education

• Ensure coordination • Receive complaints • Impose fines and

with regulators in other and institute administrative penalties
countries investigations • Recommend to DOJ
• Negotiate for cross- • Facilitate settlement of prosecution
border application complaints • Award indemnity privacy.gov.ph
Compliance and Complaints and
Enforcement
Monitoring Investigations
 Privacy & Security
of
PERSONAL DATA

LEGAL and COMPLIANCE

Subject Matter - PERSONAL DATA
Sec. 3, IRR, DPA of 2012

SENSITIVE PERSONAL PRIVILEGED

PERSONAL INFORMATION
INFORMATION INFORMATION

PROCESSING:
• collecting
• recording
• organizing
• storing
• Individual’s race, ethnic
• updating • Covers both digital and
origin, marital status, age,
• Examples:
analog forms of data • lawyer-client,
• retrieving • Identity of individual is color and religious,
• doctor-patient;
philosophical or political
• using apparent OR can be
reasonably and directly affiliations • priest-confessor;
• spousal privilege
• consolidating ascertained when put • Health, education, genetic,
together with other or sexual life, or any legal
• erasing information proceeding
• Issued by government
agencies peculiar to an
individual, ex. licenses
Processing Covered –
Sec. 4, IRR DPA 2012

• Processor is found or established in the Philippines.

• Processing relates to personal data about a Philippine citizen or resident.
• Processing is being done in the Philippines.
• Processing of personal data is done or engaged in by an entity with links to the
Philippines, such as:
 equipment located in, or has an office, branch or agency in the Phils. or the
parent or affiliate of the Phil. entity has access to personal data;
 contract is entered in the Phils., or carries on business in the Phils., or collects or
holds personal data in the Phils.
 Unincorporated in the Philippines, has central management and control herein.
INFORMATION NOT COVERED Sec. 5, IRR, DPA 2012
• Matters of public concern, pertaining to employment in gov’t., service
under gov’t. contract, benefit of a financial nature from gov’t. such as a
franchise license or permit.
• Personal Information for journalistic, artistic or literary purpose.
• Personal Information for research purpose for a public benefit.
• Information necessary to carry out functions of public authority,
pertaining to law enforcement or regulatory or monetary functions
such as Secrecy of Bank Deposits Act; Foreign Currency Deposit
Act; Credit Information System Act (CISA).
• Information necessary for banks, other financial institutions.
• Originally collected from residents of foreign jurisdictions in accordance
with the laws of those foreign jurisdictions being processed in the Phils.
Provided, that personal information controllers or personal information
processors are still subject to the requirements of implementing security
measures for personal data protection
Parties –
Secs. 3 and 26, IRR of DPA 2012 and NPC Advisory No. 2017-01

DATA PROTECTION
PERSONAL PERSONAL OFFICER
INFORMATION DATA SUBJECT INFORMATION
PROCESSOR Compliance Officer on
CONTROLLER
Protection

The person or
organization who Person appointed to
controls the Any natural or juridical implement and
collection, holding, person to whom a ensure compliance
The individual whose personal information
processing, or use of personal information with the DPA.
the personal controller may
is processed outsource the Bound by secrecy or
information. confidentiality
Responsible for DPA processing of personal
data concerning tasks
Implementation
performance
Data Privacy Principles –
Sec. 17, 18, and 19, IRR, DPA of 2012

• Collected declared, specified, and

LEGITIMACY TRANSPARENCY legitimate purpose determined
Data Subject aware of Compatible with and declared before or soon after
nature, purpose, & declared and specified collection and processed
extent of processing purpose not contrary compatible with declared,
including risks, to law, morals, or specified and legitimate purposes
safeguards, and rights public policy.
only.
• Processed fairly and lawfully.
• Should ensure data quality.
Accurate, relevant, up to date.
PROPORTIONALITY
Adequate and not excessive.
adequate, relevant,
suitable, necessary. • Not be retained longer than
Not excessive in necessary.
relation to declared • Authorized further processing shall
and specified purpose.
have adequate safeguards.
Processing Personal Information.
Secs. 21 and 22, IRR DPA 2012

• PERSONAL - ALLOWED if:

 Consent. Freely given, specific, informed indication of will.
 Arising from Contract.
 For compliance with a legal obligation of Personal Information Controller
 To protect vitally important interests of the data subject.
 To respond to national emergency or requirements of public order and safety.
 Constitutional or statutory mandate.
 Legitimate interests of the PIC or a 3rd party to whom the data is disclosed.

• SENSITIVE / PRIVILEGED – PROHIBITED except:

 Consent. . Freely given, specific, informed indication of will.
 Processing provided by law where consent not required.
 To protect the life and health of data subject or another person.
 To achieve the lawful and noncommercial objectives of public organizations.
 Necessary for the purpose of medical treatment so long as carried out by a medical
practitioner, treatment institution and protection of personal data is ensured.
 Necessary for the protection of lawful rights and interests in court proceedings, or the
establishment, exercise, or defense of legal claims.
PRIVACY STATEMENT. NPC https://www.privacy.gov.ph/npc-
privacy-policy/#3

Statement of Policy
The NPC is committed to protect and respect your personal data privacy. We are at the forefront of not only implementing but complying with
the Data Privacy Act of 2012.

We will provide individuals a Personal Information Collection Statement in an appropriate format and manner whenever we collect personal
data from them (i.e. in the manual form or web page that collects personal data, or in a notice posted at the reception area of NPC events where
participants’ personal data is collected through attendance sheets).

NPC’s Privacy Notice

Personal Information
We collect the following personal information from you when you manually or electronically submit to us your complaints, inquiries or requests:
• Full name
• Home address
• Email address
• Employment Information
• Face/photo, fingerprints or handwriting
• Contact numbers

Use
The collected personal information is utilized solely for documentation and processing purposes within the NPC and is not shared with any
outside parties. They enable the NPC to properly address the complaints, forward them to appropriate internal units for action and response,
and provide clients or complainants with appropriate updates and advisories in a legitimate format and in an orderly and timely manner.

Website Analytics
The NPC uses WP Statistics, a third-party service to analyze the web traffic data for us. This service does not use cookies. Data generated is not
shared with any other party. Only non-identifiable web traffic data are analyzed, including . . .
Processing Principles and Data Rights
Sec.
34 (a) Right to be Informed |Data Subjects have the right to know everything pertaining to their data.

Sec.
34 (b)
Right to Object | Data Subjects have the right to say no to further processing of their data.

Sec.
34 (c)
Right to Reasonable Access |Data Subjects have the right to access to their personal data.

Sec.
34 (d)
Right to Rectification |Data Subjects have the right to dispute inaccuracies and to correction.

Sec.
34 (e)
Right to Erasure or Blocking | Specially in cases of unlawful processing.

Sec.
34 (f)
Right to Damages |Data Subjects have right to indemnified for any damages sustained.

Secs.
35 & 36 Right to Data Portability | Transmissibility of Rights.
Data Sharing. Allowed if –
Sec. 20, IRR DPA 2012

• EXPRESSLY AUTHORIZED BY LAW.

• IN THE PRIVATE SECTOR: Consent and data subject shall be provided the following
information:
 Identity of the PIC or PIP;
 Purpose of data sharing;
 Categories of personal data concerned;
 Intended recipients the personal data;
 Existence of the rights of data subjects,
 Other information as to the nature & extent of processing and sharing.
• IN THE GOVERNMENT SECTOR: Consent and Data sharing between government
agencies for the purpose of a public function or provision of a public service shall be
covered a data sharing agreement. (NPC Circular 16-02)
• FOR PURPOSE OF RESEARCH: Data collected from other Parties when the personal
data is publicly available, or has the consent of the data subject.
DATA SHARING. SMART https://smart.com.ph/Corporate/privacy#cookie-policy

When we disclose personal information

There are a variety of circumstances where we may need to share some of the information that you have provided to us. In
these cases, we ensure that your personal information is disclosed on a confidential basis, through secure channels, and
only in compliance with the Data Privacy Act.

We will never share, rent, or sell your personal information to third parties outside of the Smart Communications, Inc.
except in special circumstances where you may have given your specific consent for, and as described in this policy.

In some instances, we may be required to disclose your personal information to our agents, subsidiaries, affiliates,
business partners and other third-party agencies and service providers as part of our regular business operations and for
the provision of our products and services. This means we might share your information with:

• Our service providers, contractors, and professional advisers who help us provide our products and services. This includes
partner companies, organizations, or agencies, and their sub-contractors. For example: our couriers for bill delivery and our
customer contact centers for our pre- and post-sales hotline operations;

• Our Subsidiaries and Affiliates with whom you have also signed-up with. We do so only for the improvement of each
other’s business and operations. For example: we share information about your credit standing to facilitate your service
applications with them, resulting in faster approvals;

• Other companies to whom you have also given consent for us to share your information with; and

• Law enforcement and government agencies, but only when required by laws and regulations and other lawful orders and
processes.

Our partners include, but are not limited to, the list provided under Subsidiaries, Affiliates and Partners.
 SECURITY. REASONABLE & APPROPRIATE
Sec. 25, IRR DPA 2012

• Confidentiality, Integrity, & Availability.

ORGANIZATIONAL Protect personal data against:
 natural dangers such as accidental loss
or destruction
PHYSICAL  human dangers such as unlawful
access, fraudulent misuse, unlawful
destruction, alteration and
TECHNICAL contamination,
 against any other unlawful
processing.
Organizational Security Measures.
Sec. 26, IRR DPA 2012

• Designation of a Data Protection/Compliance Officer.

• Implementation of appropriate data protection policies providing
for organization, physical, and technical security measures.
• Maintaining records that sufficiently describe its data processing
system and details of its operations.
• Proper selection and supervision of employees, agents, or
representatives those who will have access to personal data.
• Development, implementation and review of procedures and policies.
• Ensure that personal information processors also implement the
security measures required by law.
The DPO should be full-time or organic employee. Function outsourcing allowed.
Should possess specialized knowledge and have expertise in relevant privacy or data protection
policies and practices, and sufficient understanding of the processing operations of the PIC or
PIP, including the latter's information systems, data security and/or data protection needs. DPO
shall:
a. Monitor PIC's or PIP's compliance with the legal mandate.
b. Ensure conduct of Privacy Impact Assessments.
c. Advice the PIC or PIP regarding complaints and/or the exercise by data subjects
of their rights. DPO
The DPO or COP shall:
a. Ensure data breach and security incident management by the PIC or PIP. COPNPC Advisory
b. Inform and cultivate awareness on privacy and data protection within PIC or PIP. No. 2017-01

c. Advocate the development, review/revision of privacy policies, guidelines, projects.

d. Serve as the contact person of the PIC or PIP vis-a-vis data subjects, the NPC and other
authorities.
e. Cooperate, coordinate and seek advice of the NPC on matters concerning data
privacy/security.
f. Perform other duties to further data privacy and security and uphold the rights of the data
subjects.
• Shall act independently in the performance of functions. Enjoy sufficient degree of autonomy.
Should not directly or indirectly be penalized, dismissed or threatened for performing tasks.
Must not receive instructions from the PIC or PIP regarding the exercise of tasks.
• Opinion must be given due weight. Should the PIC or PIP not follow the advice, it is
recommended to document the reasons therefor.
• Malfeasance, misfeasance, or nonfeasance relative to his designated functions may
be grounds for liability. DPO
• DPO or COP contact details (title or designation, postal address, dedicated telephone
number, dedicated email address must appear in at least, the: COP
 website; NPC Advisory
No. 2017-01

 privacy notice;
 privacy policy; and
 privacy manual or privacy guide
Physical Security Measures. Sec. 27, IRR DPA 2012
• Design of office space and work stations secured against
natural disasters, power disturbances, external access, and
other similar threats.
• Policies and procedures to monitor and limit access.
• Define duties, responsibilities and schedules.
• Policies and procedures on transfer, removal, disposal, and
re-use of electronic media and on prevention of mechanical
destruction of files and equipment.
Technical Security Measures. Sec. 28, IRR DPA 2012
• Security policy for processing
• Safeguards to protect against accidental, unlawful or unauthorized
access
• Ability to maintain confidentiality, integrity, availability and
resilience of systems
• Regular monitoring and testing for security breaches and
effectivity of security measures.
• Ability to restore availability and access.
• Encryption during storage or while in transit, authentication process,
other technical security measures.
Security of Sensitive Personal Information (SPI) in Government
Secs. 30 – 33, IRR DPA 2012

The head of agency or instrumentality shall ensure that all SPI shall be secured with the use of the most
appropriate standard in the IT and Communications Technology industry.
Government employees shall have access to SPI only if with security clearance from the source agency.
Online Access by Government employees:
• An information technology governance framework has been designed and implemented;
• Sufficient organizational, physical and technical security measures have been established;
• The agency is capable of protecting sensitive personal information;
• Access necessary for the performance of official functions or the provision of a public service.
Off-site access by Government employees:
• SPI may not be transported or accessed from a location off or outside of government property unless the
implementation of privacy policies and appropriate security measures are ensured.
• Limitation to One thousand (1,000) Records at a time.
• Any technology used to store, transport or access shall be secured by the most secure encryption standard
(currently Advanced Encryption Standard with a key size of 256 bits (AES-256).
For private service provider that may involve accessing or requiring SPI from one thousand (1,000) or more
individuals, the service provider shall comply with the rules similar to a government agency and its employees.
DATA BREACH MANAGEMENT. NPC Circular 16-03
CONFIDENTIALITY - INTEGRITY – AVAILABILITY
• Implementation of organizational, physical and technical security
measures and personal data privacy policies.
• Implementation of an incident response procedure.
• Mitigation of possible harm and negative consequences.
• Compliance with personal data breach notification.
• Creation of Data breach response team which may be
outsourced. DPO may be a member.
 Implement the security incident management policy;
 Manage security incidents and personal data breaches;
 Comply issuances by the Commission on personal data breach management.
 The team must be ready to assess and evaluate a security incident, restore
integrity to the information and communications system, mitigate and
remedy any resulting damage, and comply with reporting requirements.
DATA BREACH. NPC Circular 16-03

SECURITY INCIDENT: Event or occurrence that affects or tends to affect data protection,
or may compromise the availability, integrity and confidentiality of personal data. It
includes incidents that would result to a personal data breach, if not for safeguards.
PERSONAL DATA BREACH: Breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored, or otherwise processed. IF:
• involving sensitive personal or other information which may be used to
enable identity fraud;
• reasonably believed to have been acquired by an unauthorized person;
• likely to give rise to a real risk of serious harm to any affected data subject -
NOTIFY COMMISSION & AFFECTED DATA SUBJECTS W/IN 72 HOURS
Other data breaches/security incidents must be recorded in writing and made part of
annual report.
ACCOUNTABILITY.
Secs. 50, 51, and 61 IRR of DPA 2012; NPC Advisory 2017-01

• Personal Information controllers shall be responsible for any personal

data under its control or custody, including information that have
been outsourced or transferred to a PIP.
• The person who committed the unlawful act or omission shall be
recommended for prosecution in case of criminal acts.
• Responsible Officers of juridical persons who participated in, or by
their gross negligence.
• DPOs or COPs for malfeasance, misfeasance, or nonfeasance relative
to the designated functions.
• Head of each government agency or instrumentality shall be
responsible for complying with the security requirements and liable for
breach.
REGISTRATION REQUIRED. Secs. 47 & 48, IRR DPA 2012
• PIC or PIP employs at least two hundred fifty (250) employees;
• Processing includes sensitive personal information of at least one thousand (1,000)
individuals;
• Processing is not occasional.
• Processing operations is likely to pose a risk to the rights and freedoms of data
subjects:
 information that would likely affect national security, public safety, public
order, or public health;
 information required by applicable laws or rules to be confidential;
 vulnerable data subjects like minors, the mentally ill, asylum seekers,
the elderly, patients, those involving criminal offenses, or in any other case where
an imbalance exists in the relationship between a data subject and a PIC or PIP;
 automated decision-making; or
 profiling.
See: https://www.privacy.gov.ph/guidelines-on-dpo-registration-process/
COMPLIANCE. Secs. 47 & 48, IRR DPA 2012
Appoint DPO and register the DPO.
• Fully implement and register system.
• Conduct a Privacy Impact Assessment
• Create a Privacy Manual
• Undertake and Implement Security Measures
• Data Breach Team
FINES and PENALTIES
PUNISHABLE ACTS
Unauthorized Processing.
Sec. 52, IRR DPA of 2012
Providing Access Due to Negligence
Sec. 53, IRR DPA of 2012
Improper Disposal
Sec. 52, IRR DPA of 2012
Processing for Unauthorized Purposes
Sec. 52, IRR DPA of 2012
Unauthorized Access or Intentional Breach
Sec. 52, IRR DPA of 2012
Concealment of Security Breaches
Sec. 52, IRR DPA of 2012
Malicious Disclosure
Sec. 52, IRR DPA of 2012
Unauthorized Disclosure
Sec. 52, IRR DPA of 2012
PENALTIES
PERSONAL INFORMATION SENSITIVE PERSONAL
INFORMATION
Imprisonment: 1 – 3 years Imprisonment: 3 – 6 years
Fine: P500,000 – P2,000,000 Fine: P500,000 – P4,000,000
Imprisonment: 1 – 3 years Imprisonment: 3 – 6 years
Fine: P500,000 – P2,000,000 Fine: P500,000 – P4,000,000
Imprisonment: 4 months – 2 years Imprisonment: 1 – 3 years
Fine: P100,000 – P500,000 Fine: P100,000 – P1,000,000
Imprisonment: 1 year & 6 mos. – 5 years Imprisonment: 2 – 7 years
Fine: P500,000 – P1,000,000 Fine: P500,000 – P2,000,000
Imprisonment: 1 – 3 years
Fine: P500,000 – P2,000,000
Imprisonment: 1 year and 6 months – 5 years
Fine: P500,000 – P1,000,000
Imprisonment: 1 year and 6 months – 5 years
Fine: P500,000 – P1,000,000
Imprisonment: 1 – 3 years
Fine: P500,000 – P1,000,000
 THANK YOU
[email protected]

philippinelawlist.com