Atty.

Maria Cecilia Soria

@ ceciliasoria.com

#TIL
#DataPrivacy
[A survey of key NPC Advisory Opinions]

30 Aug 2018 SM Aura Convention Center

8.8K Retweets 24K Likes

 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Trade secrets that do not relate to

individuals do not fall under the scope of the DPA.
However, a specialized customer list may be a trade
secret as well. If this involves a list of individual natural
persons then the same may fall under the scope of the
DPA as either personal or sensitive personal information,
depending on what is included in such list or database.
[ADVISORY OPINION No. 2018-017] #personaldata
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Blacklisting constitutes processing of

personal data and is subject to the general data privacy
principles under the DPA. Data subjects must be properly
informed of the nature, purpose, and extent of the
processing their personal data. Further, it is mandatory for
an organization to clearly establish procedures that allow
data subjects to exercise their right to access,
rectification, erasure, or blocking. [ADVISORY OPINION
No. 2017-063] #dataprocessing
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Personal data processed in the

Philippines, but which were originally collected from
residents of foreign jurisdictions in accordance with the
laws thereof, fall outside the scope of the DPA. Thus, the
collection itself of said personal data is governed by the
laws of the foreign jurisdiction. Other types of processing
that the personal data is subjected to here in the
Philippines remain covered by the DPA. [ADVISORY
OPINION No. 2017-018] #DPAcoverage
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy International affiliates or subsidiaries

of Philippine corporations that do not operate or do
business in the Philippines and do not process personal
data through data processing systems operating in the
Philippines are not covered by the mandatory requirement
to register personal data processing systems.
[ADVISORY OPINION No. 2017-62] #DPAcoverage
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Information submitted by PICs or PIPs

relating to the registration of their data processing
systems are considered as official records that may be
subject to subpoenas by Congress for inquiries in aid of
legislation. Notwithstanding this, the NPC is also
mandated to ensure at all times the confidentiality of any
personal information that comes to its knowledge and
possession. [ADVISORY OPINION No. 2017-064]
#NPCduty #confidentiality
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy An organization should have a policy

on what personal data is reflected in the company ID and
the corresponding purpose/s thereof. The data enclosed
on the ID must be proportionate to the purpose.
Government-issued ID numbers, civil status, gender, and
blood type are sensitive personal information. These
information are afforded more protection and their
processing is generally prohibited unless there is lawful
basis under the DPA. [ADVISORY OPINION No.
2017-066] #dataprivacyprinciples #proportionality
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy PICs or PIPs that are not required to

register their data processing system/s need not formally
submit the name of their Data Protection Officer to the
National Privacy Commission. [ADVISORY OPINION No.
2017-37] #registration
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy To determine if a PIC meets the

threshold of processing of sensitive personal information
“at least 1,000 individuals” for the registration of personal
data processing systems, the count should include past
clients or employees if the PIC continues to store these
information. [ADVISORY OPINION No. 2018-022]
#registration
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy A Homeowner’s Association (HOA) is

considered a personal information controller mandated to
appoint a Data Protection Officer. It may also be required
to register its personal data processing system if it
processes sensitive personal information of at least 1,000
individuals. To make this determination, the HOA may
conduct a privacy impact assessment. [ADVISORY
OPINION No. 2018-019] #registration #PIA
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy There is no express prohibition for a

company to profile individuals based on publicly-available
personal data. However, data subjects have a right to be
informed that their data is being processed, including the
existence of automated decision-making and profiling.
Data subjects also have the right to object and withhold
consent. Where automated processing becomes the sole
basis for making decisions about a data subject, the PIC
must notify the NPC of such processing. [ADVISORY
OPINION No. 2017-41] #datasubject #rights
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy There are no rules on how frequent a

data subject may request access to information on the
processing of their personal data. In some jurisdictions,
such request may be made at reasonable intervals. What
is considered “reasonable” is determined on a case to
case basis. PICs or PIPs are given the discretion to
determine what would constitute a reasonable interval,
given the attendant facts of a particular case or request.
[ADVISORY OPINION No. 2018-018] #datasubject #rights
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy The condominium corporation may

lawfully disclose the unit numbers of its members to
enable a member/unit owner to exercise their right to
inspect the books and records of the corporation as
provided under the Corporation Code. [ADVISORY
OPINION No. 2018-011] #personaldataprocessing
#lawfulbasis
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy The government or its agencies do

not have blanket authority to access or use the
information about private individuals under the custody of
another agency. The release of a copy of the master list of
students and individuals who were vaccinated with
Dengvaxia®, which contains sensitive personal
information, to the requesting public could constitute an
unwarranted invasion of personal privacy. [ADVISORY
OPINION No. 2018-007] #lawfulbasis #purpose
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy The Philippine National Police (PNP),

pursuant to its law enforcement function, may request for
personal data. However, this should be anchored on an
investigation, i.e., “the collection of facts to accomplish a
three-fold aim: a) identify the suspect; b) locate the
suspect; and c) provide evidence of his guilt.” The PNP
may be given personal data of public concern such as
information of government employees. Submission of
sensitive personal information is prohibited except in cases
provided under the DPA. [ADVISORY OPINION No.
2017-056] #dataprivacyprinciples #lawfulbasis #purpose
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Online merchants can save credit card

details of customers for purpose of completing the
transaction for which the details were given. Storing details
longer—for the purpose of facilitating future transactions or
for convenience of clients—requires consent. Without
consent, the merchant should be able to show a lawful
basis for its retention periods. The merchant should also
inform clients of the nature and extent of the personal data
processing and put in place security measures for the
protection of personal data. [ADVISORY OPINION No.
2017-055] #lawfulbasis #consent #purpose
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Where a customer calls a service

hotline to update his information, processing of personal
data is limited to the purpose of updating his information.
Reference to the privacy notice posted in the website is
allowed, but this will not be equivalent to consent. If the
PIC requires consent for other purposes, the customer
would have to provide express consent thereto, either by
saying on record that he agrees, ticking a box in an online
form, or submitting a signed form. [ADVISORY OPINION
No. 2017-059] #lawfulbasis #consent #purpose #notice
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy The disclosure of sensitive personal

information is prohibited except when the data subject has
given consent or when it is covered by other lawful basis.
Without these, a former employer cannot disclose the
employee's health data to a prospective employer. The
former employee should also be informed of the extent of
disclosure of their health information. [ADVISORY
OPINION No. 2017-61] #lawfulbasis #consent #purpose
#notice
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy A teacher may have the right to seize

a minor student's cellphone to implement a DepEd rule
prohibiting cellphone use in class. However, this does not
automatically authorize the teacher to search the contents
of the cellphone. The teacher may access its contents to
protect vitally important interests of the student—including
his life and health—or to respond to a national
emergency. Consent is not a lawful basis in this case
since the minor cannot legally give consent. [ADVISORY
OPINION No. 2017-049] #lawfulbasis #consent
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Organizations must determine

whether information being collected in visitor logbooks are
necessary and proportionate to the purpose of collection.
The risks and vulnerabilities in the processing should also
be identified and addressed, and security measures
implemented should also be evaluated. A privacy notice
may be displayed alongside the logbook to apprise
visitors of the purpose of collection, recipients of collected
information, and retention period of stored information,
among others. [ADVISORY OPINION No. 2018-003]
#dataprivacyprinciples #notice
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Radio stations may not be required by

the Philippine Army to submit personal data if the
Philippine Army has not stated its purpose for the
collection of information. The Army's pursuit of its
mandate does not exempt it from complying with the
principles of transparency, legitimate purpose, and
proportionality. [ADVISORY OPINION No. 2018-009]
#dataprivacyprinciples #lawfulbasis #purpose
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy The mere posting of a PIC’s privacy

policy or notice and requiring the consumers to agree
thereon via the online platform does not equate to
obtaining the consent of the data subject for purposes of
processing their personal information as required under
the law. [ADVISORY OPINION No. 2018-013]
#lawfulbasis #consent
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy A hospital’s disclosure of the patients’

data for purposes of fulfilling the resident physicians’
submission requirements for diplomate board exam and
accreditation to the Philippine College of Surgery (PCS)
and Philippine Obstetrics and Gynecology Society
(POGS) may be allowed under the DPA provided that the
patient has provided consent. [ADVISORY OPINION No.
2018-016] #lawfulbasis #consent
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Posting of names of successful

applicants for admission to the University may be allowed
under the lawful basis of the pursuit of the legitimate
interest. The NPC however counseled that, moving
forward, the University should obtain the consent of the
applicants for the posting of their names on the bulletin
board. [ADVISORY OPINION No. 2018-020] #lawfulbasis
#consent
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy If the PIC has the data subject for its
customer or client, and the processing of the latter’s
personal data is based on such relationship, a consent
coterminous with the relationship meets the “time-bound”
requirement. What is not permitted is having the duration
of the consent determined solely by the PIC. This directly
contravenes the “time-bound” requirement and
undermines the very concept of consent, which is an
indication of will of the data subject, not that of the PIC.
[ADVISORY OPINION No. 2017-018] #lawfulbasis
#consent
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy The fact that a company pays the

premium for Health Maintenance Organization (HMO)
coverage does not justify access to the health information
of employees. The company must obtain the consent of
the data subject/patient/employee for such purpose. The
company cannot, however, compel an HMO to disclose
medical information without authorization from the data
subject, or without other legal basis for processing.
[ADVISORY OPINION No. 2017-025] #lawfulbasis
#consent
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy The requirement for deletion of

personal data covers both the website/platform and the
system backup. Any claim that deletion of a portion of the
backup system jeopardizes the system must be
adequately proven. Only then can the NPC entertain
alternative proposals for compliance with the law.
[ADVISORY OPINION No. 2017-001] #dataretention
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Whether processing is based on

consent, law, or some other lawful basis, the PIC is not
required to obtain a separate consent from the data
subject before entering into an outsourcing agreement as
the purpose of the processing remains to be the same
and the PIC remains to be the same. However, the PIC
must indicate in its privacy notice to the data subject the
particular data processing activities that are outsourced.
[ADVISORY OPINION No. 2018-015] #privacynotice
#outsourcing
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy Where a company has reasonable

knowledge that a database of personal data it uses for
marketing is the fruit of an unlawful activity, the company
should discontinue processing said personal data as the
same may be construed as unauthorized processing
punishable under Section 25 the DPA. [ADVISORY
OPINION No. 2017-030] #lawfulbasis
#unauthorizedprocessing
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy The PIC or PIP shall not be liable for

a personal data breach resulting from force majeure upon
positive showing that the PIC or PIP had appropriate
security measures in place and was not negligent in the
performance if its obligations as PIC or PIP. [ADVISORY
OPINION No. 2017-39] #databreach #liability
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

#TIL #DataPrivacy When employees of BPOs commit a

violation of the DPA, even where personal information of
foreign citizens is involved, such employee may be held
liable. The affected account holders should file the
complaint, unless the BPO is authorized to do so by the
foreign client. As an alternative, the BPO may file the
complaint as the person subject of a privacy violation or a
personal data breach, not as a data subject, but as a PIP.
[ADVISORY OPINION No. 2017-058]
#dataprivacyviolation
 Atty. Maria Cecilia Soria
@ ceciliasoria.com

Any #questions on the material covered?

Follow my blog at ceciliasoria.com.

Email me at mail@ceciliasoria.com.
Add me on @LinkedIn at https://www.linkedin.com/in/
ceciliasoria/

OK to share; non-commercial use only; please credit ceciliasoria.com.