Professional Documents
Culture Documents
1 Section 3(c)
2 Section 3(g)
6 Section 3(i)
7 Section 11
9 Section 3(b)
1. The data subject has given his or her consent, specific to the purpose
prior to the processing, or in the case of privileged information, all parties
to the exchange have given their consent prior to processing;
2. The processing of the same is provided for by existing laws and
regulations. But, such regulatory enactments must guarantee the protection
of the sensitive personal information and the privileged information.
Moreover, the consent of the data subjects must not be required by the law
or regulation permitting the processing of the sensitive personal
information or the privileged information;
3. The processing is necessary to protect the life and health of the data
subject or another person, and the data subject is not legally or physically
able to express his or her consent prior to the processing;
4. The processing is necessary to achieve the lawful and noncommercial
objectives of public organizations and their associations. But, such
processing must only be confined and related to the bona fide members of
these organizations or their associations. In addition, the sensitive personal
information are not transferred to third parties. Furthermore, consent of the
data subject was obtained prior to processing;
5. The processing is necessary for purposes of medical treatment, is carried
out by a medical practitioner or a medical treatment institution, and an
adequate level of protection of personal information is ensured; or
6. The processing concerns such personal information as is necessary for
the protection of lawful rights and interests of natural or legal persons in
court proceedings, or the establishment, exercise or defense of legal claims,
or when provided to government or public authority.
14. What are the rights of a data subject?
A data subject has two sets of rights. First involves the rights under Section
16 and 18 of the Act. While, the other set is composed of those provided in
the other Sections. The differentiation is important because under Section
19, the rights of provided under Section 16 and 18 have a general
exception, which is provided below (see Question 23 below)
The first set of rights involves the following rights:
1. Right to be Informed
2. Right of Access
3. Right to Correction
4. Right to Suspend, Withdraw, or Order the Removal of Personal
Information from the Controllers Filing System
5. Right to Indemnity
6. Right to Data Portability
The second set comprises the following:
7. Right to Lodge a Complaint before the Commission
8. Right to Know the Identity of Accountable Individuals
First Set
Right to be Informed
15. What the data subjects right to be informed?
The data subject has the right to be informed of the following:
1. Whether personal information pertaining to him or her shall be, are being
or have been processed;10
2. Be furnished the information indicated hereunder before the entry of his
or her personal information into the processing system of the personal
information controller, or at the next practical opportunity:
A. Description of the personal information to be entered into the
system;
B. Purposes for which they are being or are to be processed;
C. Scope and method of the personal information processing;
D. The recipients or classes of recipients to whom they are or may be
disclosed;
E. Methods utilized for automated access, if the same is allowed by
the data subject, and the extent to which such access is authorized;
F. The identity and contact details of the personal information
controller or its representative;
G. The period for which the information will be stored; and
H. The existence of their rights, i.e., to access, correction, as well as
the right to lodge a complaint before the Commission.
16. When does the Right to Information not apply?11
The notice before entry as provided in 2. above, shall not apply should the
personal information be needed pursuant to a subpoena or when the
collection and processing are for obvious purposes, including when it is
necessary for the performance of or in relation to a contract or service or
when necessary or desirable in the context of an employer-employee
relationship, between the collector and the data subject, or when the
information is being collected and processed as a result of legal obligation.
Right of Access
17. What is the right of access12 of a data subject?
The data subject has reasonable access to, upon demand, the following:
1. Contents of his or her personal information that were processed;
10 Section 16 (a)
11 Section 16 (b)
12 Section 16 (c)
13 Section 16(d)
14 Section 16 (d)
15 Section 16 (d)
information controller may notify third parties who have previously received
such processed personal information.16
Right to Indemnity
21. When is the data subject entitled to indemnity?
The data subject is entitled to be indemnified for any damages sustained
due to such inaccurate, incomplete, outdated, false, unlawfully obtained, or
unauthorized use of personal information.17
Right to Data Portability
22. What is the data subjects right to data portability?
The data subject shall have the right, where personal information is
processed by electronic means and in a structured and commonly used
format, to obtain from the personal information controller a copy of data
undergoing processing in an electronic or structured format, which is
commonly used and allows for further use by the data subject. The
Commission may specify the electronic format referred to above, as well as
the technical standards, modalities and procedures for their transfer.18
20 Section 7(b)
21 Section 21
22 Section 7(b)
23 Section 37
24 Section 6
2. The entity has a link with the Philippines, and the entity is processing
personal information in the Philippines or even if the processing is outside
the Philippines as long as it is about Philippine citizens or residents such as,
but not limited to, the following:
A. A contract is entered in the Philippines;
B. A juridical entity unincorporated in the Philippines but has central
management and control in the country; and
C. An entity that has a branch, agency, office or subsidiary in the
Philippines and the parent or affiliate of the Philippine entity has
access to personal information; and
3. The entity has other links in the Philippines such as, but not limited to:
A. The entity carries on business in the Philippines; and
B. The personal information was collected or held by an entity in the
Philippines.
30. When is it not applicable?
The cross-border application of the DPA does not apply to personal
information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any
applicable data privacy laws, which is being processed in the Philippines.25
31. How is this regulated?
The cross-border flow of data is regulated by the NPC as part of its mandate
to:
1. Ensure proper and effective coordination with data privacy regulators in
other countries and private accountability agents, participate in
international and regional initiatives for data privacy protection26;
2. Negotiate and contract with other data privacy authorities of other
countries for cross-border application and implementation of respective
privacy laws27;
3. Assist Philippine companies doing business abroad to respond to foreign
privacy or data protection laws and regulations28; and
4. Generally perform such acts as may be necessary to facilitate crossborder enforcement of data privacy protection.29
25 Section 4(g)
26 Section 7(n)
27 Section 7(o)
28 Section 7(p)
29 Section 7(q)
Lawful processing involves a two step process. First, before any personal
information can be processed, the personal information controller must first
comply with Section 11: General Data Privacy Principles 33. And second, the
personal information controller or the personal information processor, as
the case may be, shall determine whether the information is merely
personal information, which requires compliance of Section 12 34, or
sensitive personal information, in which case Section 13 35 must be complied
with.
35. Can the government process personal information without
complying with the conditions for lawful processing?
Yes, Section 4 specifically excludes Information necessary in order to carry
out the functions of public authority which includes the processing of
personal data for the performance by the independent, central monetary
authority and law enforcement and regulatory agencies of their
constitutionally and statutorily mandated functions from the applicability
of the DPA. Therefore, processing of such information need not comply with
the specific provisions of the DPA, subject, however, to other laws and
regulations.
36. What are the obligations of the personal information controller?
Aside from the complying with the conditions for lawful processing of
personal information, the personal information controller has other
obligations. As a correlative of the rights that can be exercised by the data
subject, the personal information controller has the following obligation:
1. Obligation to Inform the Data Subject when his or her Personal
Information is processed
2. Obligation to Notify the Data Subject before the entry of his or her
Personal Information into the Processing System of the Personal
Information Controller36
3. Obligation to Allow Access to Personal Information pertaining to the Data
Subject, upon demand
4. Obligation to Correct any Inaccuracy or Error37
5. Obligation to Remove Personal Information from its Filing System, upon
demand and proof38
6. Obligation to Indemnify Data Subject for Breach
33 See Question 10 above
34 See Question 11 above
35 See Question 13 above
36 Subject to an exception: See Question 16
37 Subject to an exception: See Question 19
38 Proof that personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized
purposes or are no longer necessary for the purposes for which they were collected.
39 Section 23
Penalized Acts
Sec.
25
Sec.
26
Sec.
27
Sec.
28
Penalties
Prison Term
Fine41
500,000 to 2
1-3 years
million
500,000 to 4
3-6 years
million
500,000 to 2
1-3 years
million
500,000 to 4
3-6 years
million
6 mos - 2 years
100,000 to 500,000
100,000 to 1
1-3 years
million
1 yr and 6mos to 5
500,000 to 1
years
million
Sec.
29
Sec.
30
Sec.
31
Sec.
32
Sec.
33
2 - 7 years
1-3 years
1 yr and 6mos to 5
years
1 yr and 6mos to 5
years
Malicious Disclosure
Unauthorized Disclosure of Personal Information
1-3 years
3-5 years
3-6 years
500,000 to 2
million
500,000 to 2
million
500,000 to 1
million
500,000 to 1
million
500,000 to 1
million
500,000 to 2
million
1 million to 5
million