The coverage for the Data Privacy Act are as follows

(based on unofficial sources):

1 Personal vs Sensitive Personal Information
2 Scope
3 Processing of Personal Information
4 Rights of a Data Subject
Some important Data Privacy topics, of which we
already discussed (linked below) under the Data
Privacy Act and Privacy Law in general which are
not covered but are important to know:
1 Constitutional and Statutory Basis for the Right to
Privacy under Philippine Law (except the Data
Privacy Act)
2 The Reasonable Expectation of Privacy Test (Pollo
vs Constantino-David G.R. 181881, Oct. 18, 2011)
3 The Data Protection Officer – Roles,
Responsibilities and Rights
4 Data Controller, Data Processor and Data Subjects
(Tripartite privacy relationship)
5 Legal Basis for Processing of Personal Information
6 Cybercrime Warrants
7 Privacy Torts
8 Writ of Habeas Data
9 Mutual Legal Assistance Treaties and Letters
Rogatory (for Public International Law)
Today we’re going to discuss about the coverage for
the Data Privacy Act specifically for the 2019 Bar
Examinations.

Constitutional Basis
Under the most recent 1987 Philippine Constitution,
the Right to Information and Communications
Privacy is recognized under Article III, Sec. 3(1),
which states:
The privacy of communication and
correspondence shall be inviolable except
upon lawful order of the court, or when
public safety or order requires otherwise, as
prescribed by law.

Personal vs Sensitive
Personal Information
Personal Information
Under Sec. 3(g) of the Data Privacy Act, Personal
Information is defined as the following:
Refers to any information whether recorded
in a material form or not, from which the
identity of an individual is apparent or can
be reasonably and directly ascertained by
the entity holding the information, or when
put together with other information would
directly and certainly identify an individual.
Basically personal information is anything that can
identify an individual.
Examples are your name, ID number, online
usernames, email address, phone number, stage
names, etc.
Sec. 3(g) applies to both paper-based and electronic
records.
Personal information may also be pieces of
information, when aggregated with other
information can reasonably identify an individual
based on substantial evidence in which a prudent
person may reasonably believe that such
information can be identifiable to a unique
individual.
Context is generally important on how an
information is displayed or how it appears, as a
general rule, if such information can be reasonably
traced back to an individual, then it is personal
information.
Sample Question: Juan Dela Cruz, a Filipino citizen,
filled up a survey form. Such survey form only asked
about his favorite coffee flavors and how much he
spends per week for coffee. The survey also asked
for his first name. Is the survey collecting personal
information?
Answer: No. First name by itself cannot reasonably
identify an individual. Juan cannot be identified
from other persons named “Juan”. Neither does
information about his favorite coffee flavors and
how much he spends for coffee even if taken
together with his first name cannot be said to
reasonably identify Juan.
However, if the survey asked for his full name, even
if there are more than one (1) Juan Dela Cruz in the
Philippines, it is still considered as collecting
personal information.
Sensitive Personal Information
Sensitive Personal Information are special
categories of information and are classified under
Sec. 3(l) of the Data Privacy Act as follows:
Sensitive personal information refers to
personal information:
(1) About an individual’s race, ethnic origin,
marital status, age, color, and religious,
philosophical or political affiliations;
(2) About an individual’s health, education,
genetic or sexual life of a person, or to any
proceeding for any offense committed or
alleged to have been committed by such
person, the disposal of such proceedings, or
the sentence of any court in such
proceedings;
(3) Issued by government agencies peculiar
to an individual which includes, but not
limited to, social security numbers, previous
or current health records, licenses or its
denials, suspension or revocation, and tax
returns; and
(4) Specifically established by an executive
order or an act of Congress to be kept
classified.
Sensitive personal information must be personal
information. This means that it must be able to
identify an individual.
Example, health information such as medical
diagnosis or prognosis by itself is not sensitive
personal information unless there is a Patient ID or
name of the patient together with the health
information that be used to trace back to an
individual.
BIR, SSS, GSIS, PhilHealth and other government
records are also classified as Sensitive Personal
Information.
The confusion of most people is how to distinguish
“sensitive personal information” versus “sensitive
information” or “confidential information”.
Sensitive Personal Information (SPI) is enumerated
by law, under Sec. 3(l) of the Data Privacy Act. SPIs
can be traced back to individuals.
Sensitive Information is any information that may
cause harm or prejudice when disclosed to an
individual or the general public. This is not
protected under the Data Privacy Act.
Examples are trade secrets and business related
information such as business records which does
not contain any personal information. It can also be
government information such as classified
documents and national security related
information.
Confidential information is specifically provided by
law under the Rules of Court (such as doctor-patient
or attorney-client privilege) or statute (such as
arbitration proceedings and awards under the
Domestic Arbitration Law). Generally the effect of
confidentiality will result to the information to being
inadmissable in any court, in any proceeding.

Scope
Scope is discussed under Sec. 4 of the Data Privacy
Act.
x x x Applies to the processing of all types of
personal information and to any natural and
juridical person involved in personal
information processing including those
personal information controllers and
processors who, although not found or
established in the Philippines, use
equipment that are located in the
Philippines, or those who maintain an office,
branch or agency in the Philippines x x x
Requisites
• Must involve any processing of personal
information
• By either natural or juridical persons
• Either acting as a controller or processor
• Whether or not found in the Philippines that uses
equipment or maintains an office, branch or
agency in the Philippines.
What are the exceptions (Sec.
4)?
• Government employee data relating to their official
functions and position
• Government contractor data
• Licenses or permits and any other discretionary
benefit given by the government
• Processing of information for journalistic, artistic,
literary or research purposes
• Personal information processed by public
authorities relating to the performance of their
constitutionally and statutorily mandated
functions.
• Personal information processed for Anti-Money
Laundering purposes
• Personal information originally collected from
resident of foreign jurisdictions even if the
personal information is processed in the
Philippines
• Personal information relating to media sources
(Sec. 5)
Extraterritorial application (Sec.
6)
Applies to entities within and outside of the
Philippines when
• Processing of personal information about a
Philippine citizen or resident
• Processing of personal information when the entity
has a link with the Philippines and such
personal information is about a Philippine
citizen or resident.
• Examples:
• Contract entered in the Philippines
• A foreign company with central
management and control in the
Philippines
• A Philippine subsidiary of a foreign
company where the latter has access
to personal information in the
Philippines.
• Entity is doing business in the Philippines
• Personal information is collected by an
entity in the Philippines

Processing of
Personal Information
Principles of Transparency,
Legitimate Purpose and
Proportionality (Sec. 11)
• Transparency
• The data subject must be aware of the nature,
purpose, and extent of the processing of
his or her personal data, including the risks
and safeguards involved, the identity of
personal information controller, his or her
rights as a data subject, and how these can
be exercised. Any information and
communication relating to the processing
of personal data should be easy to access
and understand, using clear and plain
language.
• Legitimate purpose
• The processing of information shall be
compatible with a declared and specified
purpose which must not be contrary to law,
morals, or public policy.
• Proportionality
• The processing of information shall be
 adequate, relevant, suitable, necessary,
and not excessive in relation to a declared
and specified purpose. Personal data shall
be processed only if the purpose of the
processing could not reasonably be fulfilled
by other means.
General principles in collection,
processing and retention of
personal information. (Sec. 11)
• Collection must be for a declared, specified, and
legitimate purpose.
• Personal data shall be processed fairly and
lawfully.
• Processing should ensure data quality.
• Personal Data shall not be retained longer than
necessary.
• Any authorized further processing shall have
adequate safeguards.
Legal Basis for Processing of
Personal Information (Sec. 12
and 13)
• Consent (express) – Processing of personal
information express consent of the data
subject, implied consent is not allowed. (Sec.
12(a) and 13(a))
• Contractual necessity – Processing in fulfillment of
a contractual obligation (Sec. 12(b))
• Legal obligation – Processing under a legal
obligation by the personal information
 Controller (Sec. 12(c) and 13(f))
• Vital interest – Processing to protect health and
safety of the data subject (Sec. 12(d) and 13(c)
and 13(e))
• Public interest – Processing in the event of a
national emergency, public order and safety
(Sec. 12(e))
• Legitimate interest – Processing under legitimate
interests pursued by the Personal Information
Controller (Sec. 12(f))
Full details in my separate post here –
https://privacyph.net/2018/11/22/processing-of-
personal-information-data-privacy-act/
General rule – Processing of sensitive Personal
Information is prohibited except those enumerated
under Sec. 13.

Rights of a Data
Subject
Who is a Data Subject (Sec.
3(c))?
Data subject refers to an individual whose personal
information is processed.
Rights of the Data Subject
• Right to be informed (Sec. 16(a) and Sec. 16(b))
• As a data subject, you have the right to be
informed that your personal data will be,
are being, or were, is being collected and
 processed. (Sec. 16(a))
• Data subjects also has the right to be
furnished information prior or upon the next
practicable opportunity to be informed
about how personal information will be
stored, access, shared, contained,
methods, period, contact details of the
controller, and existence of the rights under
the Data Privacy Act. (Sec. 16(b))
• Right to Access (Sec. 16(c))
• You have a right to obtain from an organization
a copy of any information relating to you
that they have on their computer database
and/or manual filing system. It should be
provided in an easy-to-access format,
accompanied with a full explanation
executed in plain language.
• Right to Rectify (Sec. 16(d))
• You have the right to dispute and have
corrected any inaccuracy or error in the
data a personal information controller (PIC)
hold about you.
• Right to Erasure/Blocking (Sec. 16(e))
• Right to Suspend, withdraw or order the
blocking, removal or destruction of his or
her personal information from the personal
information controller’s filing system upon
discovery and substantial proof that the
personal information are incomplete,
outdated, false, unlawfully obtained, used
for unauthorized purposes or are no longer
necessary for the purposes for which they
 were collected.
• Right to Object (Sec. 16(e))
• You can exercise your right to withdraw or
object if the personal data processing
involved is based on consent or on
legitimate interest.
• Right to Damages (Sec. 16(f))
• You may claim compensation if you suffered
damages due to inaccurate, incomplete,
outdated, false, unlawfully obtained or
unauthorized use of personal data,
considering any violation of your rights and
freedoms as data subject.
• Transmissibility Rights (Sec. 17)
• The lawful heirs and assigns of the data
subject may invoke the rights of the data
subject upon death or incapacity
• Right to File Complaints (Sec. 7(b))
• The right to file a complaint with the National
Privacy Commission
• Right to Data Portability (Sec. 18)
• Data portability allows you to obtain and
electronically move, copy or transfer your
data in a secure manner, for further use.