An Overview of the Philippines Data Privacy Act of 2012

I. Introduction

The Data Privacy Act  Republic Act. No, 10173 (“DPA”) serves as the Philippines' cornerstone legislation for ensuring the protection of personal information. Influenced by the European Union Data Protection Directive (95/46/EC), it was passed in 2012 and aims to provide individuals with rights to enhance control over their personal information while ensuring a free flow of information to promote innovation and growth in the Philippines.

To oversee the implementation of the DPA, the National Privacy Commission (“NPC'') was established under the DPA in 2016. Shortly after, the NPC introduced the Implementing Rules and Regulations of the Republic Act. No, 10173 (the “IRRs or IRR”). The IRRs provide comprehensive details related to the lawful basis of processing, data subjects’ rights, organizations’ obligations while processing the personal information of individuals, and layout penalties for organizations in case of non-compliance with the DPA and its IRRs.

Learn more about DPA.

II. Who Needs to Comply with DPA

A. Material Scope

The DPA applies to ‘the processing of all types of personal information and to any natural and juridical person involved in personal information processing’. This includes both public and private sectors but excludes the processing of personal information pertaining to:

• an individual’s personal, family, or household affairs;
• a person’s position or functions as a government employee, and similar information about the performance of government contracts;
• financial benefits, such as licenses or permits, granted by the government to an individual;
• journalistic, artistic, literary, or research purposes;
• the needs of scientific and statistical research given no activities are carried out and no decisions are taken regarding the data subject;
• activities necessary to carry out the functions of public authority;
• activities necessary for banks to carry out obligations under various money-laundering laws; and
• that originally collected from residents of other countries, according to their laws, and is processed in the Philippines.

B. Territorial Scope

The DPA applies to any entity, whether in the Philippines or outside of the Philippines, if the entity:

• deals with personal information about a Philippine citizen or resident; and
• has a link with the Philippines, for example, when:
  • a contract is made in the Philippines;
  • a foreign entity has central management and control in the Philippines; or
  • an entity has a branch, agency, office, or subsidiary in the Philippines, and the parent or affiliate has access to personal information.
• has other links in the Philippines (including carrying on business in the Philippines or collecting personal information in the Philippines).

III. Definitions of Key Terms

a. Consent

Any express, explicit, and well-informed consent that the data subject gives to collecting and using personal data regarding themselves. Consent must be verified in writing, electronically, or by recording. It may also be provided by an agent authorized by the data subject.

b. Personal Information

It includes any information, whether recorded or not, that can reveal a person's identity. This could be information the holder can easily identify the person from, or information that, when combined with other details, would clearly identify an individual.

c. Personal Information Controller (the “PIC”)

An individual or organization that manages the collection, storage, processing, or use of personal information, including directing others to do so on their behalf. This term excludes:

1. Entities acting solely on the instructions of another party.
2. Individuals handling personal information for personal, family, or household purposes.

d. Sensitive Personal Information

This includes sensitive personal information which may include an individual’s race, ethnicity, marital status, age, color, beliefs, health, education, genetic or sexual life, legal history, tax returns, social security number, and other government-classified data.

The DPA prohibits the processing of sensitive personal information and privileged information except in cases where:

• prior consent from the data subject or all parties involved is obtained;
• required by law, provided the law ensures data protection and does not mandate additional consent;
• necessary to protect life or health, and the data subject cannot consent;
• required for lawful objectives of public organizations given prior consent is present, personal information is not transferred to third parties and it is limited to members;
• required for medical treatment by authorized professionals, with adequate data protection; and
• necessary to protect lawful rights in court proceedings, establish, exercise, or defend legal claims, or provide data to government or public authorities for these purposes.

However, it is important to note that, as per NPC-issued guidelines, sensitive data should only be processed when necessary to protect lawful rights or legal claims, ensuring that the processing is adequate, relevant, and not excessive. The guidelines specify that processing can occur during the preparatory stages of legal cases and does not require an ongoing case. In such cases, organizations must clearly inform data subjects about the personal data being processed and explain the nature, purpose, and extent of the data use.

e. Personal Information Processor

Any natural or juridical person to whom a PIC may outsource the processing of personal data.

IV. Obligations for Organizations Under DPA

A. Lawful Basis Requirements

Processing personal data is only allowed under certain circumstances and if it is not legally prohibited. These include:

•  obtaining the consent of the data subject;
•  fulfilling contractual or pre-contractual obligations;
• complying with legal obligation;
• safeguarding vital interests like life and health;
• responding to national emergencies or calls for public safety; or
• pursuing legitimate interests of the PICs or third parties, as long as these don't conflict with the rights and freedoms of the data subject.

B. Consent Requirements

Organizations are required to collect the consent of data subjects before the processing of personal information.

C. Security Requirements

In order to safeguard personal information from accidental or unlawful destruction, alteration, disclosure, and any other unlawful processing. PICs are required to implement reasonable and appropriate organizational, physical, and technical measures.

The nature of the data, the risks involved, the size and complexity of the organization, data privacy best practices, and the implementation cost must all be considered when determining the right security measures for processing personal information. These include network security measures, a security policy, vulnerability identification procedures, and routine security breach monitoring.

Moreover, the PIC must ensure third parties follow these security measures. Even when their employment ends, employees who handle personal data are required to maintain strict confidentiality.

D. Data Breach Requirements

The PIC must promptly notify the NPC and affected individuals if sensitive or other information that could enable identity fraud, is reasonably believed to have been acquired by an unauthorized person. This is required when it is likely that the breach poses a real risk of serious harm to the affected individuals.

The notification must include details about the breach, the sensitive information involved, and actions taken to address it. Any delay in notification is permitted only to assess the breach, prevent further disclosures, or restore system integrity.

E. Cross-Border Data Transfer Requirements

The PIC is accountable for the personal data under its control, regardless of whether it is transferred to third parties for processing, whether domestically or internationally. The PIC is required to ensure compliance with data protection laws and implement contractual or other reasonable measures that ensure protection equivalent to the DPA during third-party processing. Furthermore, the PIC is required to designate an individual or individuals who are responsible for ensuring compliance with the law.

VI. Data Subject Rights

a. Right to Information

Data subjects have the right to be informed when the PIC or PIP is processing personal information related to them.

b. Right to Erasure

Data subjects can request the PIC to suspend, remove, or destruct their personal data from their personal information filling system.

c. Right to Object

Data subjects have the right to block or object to their personal information being processed by the PIC.

d. Right to Rectification

Data subjects have the right to request the rectification of their incomplete and/or inaccurate personal information held by the PIC.

e. Right to Access

Data subjects have the right to access their personal information held by the PIC..

f. Right to Data Portability

Data subjects have the right to request a copy of their personal information from the PIC in an electronic or structured format.

g. Right to Indemnification

Data subjects have the right to be indemnified for damages sustained due to inaccurate, incomplete, false, unlawfully obtained, or unauthorized use of personal information by the PIC.

h. Right to Complain

Data subjects have the right to file a complaint against the PIC before the NPC.

VII. Regulatory Authority

The NPC is an independent body established to implement and oversee compliance with the data protection provisions of the DPA and to ensure alignment with international data privacy standards. Its key functions include:

• ensure compliance with data protection laws, handle complaints, conduct investigations, and resolve disputes;
• issue orders to stop harmful data processing;
• enforce actions from entities and government agencies;
• monitor and recommend improvements for security measures;
• collaborate with government and private sectors to enhance data protection;
• publish guides and records on data protection laws;
• recommend prosecution for violations;
• approve privacy codes for PICs;
• provide privacy-related assistance and advice;
• propose changes to privacy laws;
• coordinate with international privacy regulators; and
• help Philippine companies comply with foreign privacy laws.

VIII. Penalties for Non-Compliance

Non-compliance with the DPA, its IRRs, and any issuances of the NPC can lead to administrative, civil, and criminal liabilities. Penalties range from imprisonment of 6 months to 7 years and a fine of not less than five hundred thousand pesos (Php500,000.00) but not more than four million pesos (Php4,000,000.00).

The DPA also prescribes that if the offender is a corporation, partnership, or any other juridical person, the penalty shall be imposed upon the responsible officers who participated in, or by their gross negligence, allowed the commission of the crime.

IX. How an Organization Can Operationalize the DPA

To operationalize the DPA, organizations can:

• appoint a privacy officer or team to supervise compliance with the DPA;
• conduct privacy impact assessments to identify and mitigate privacy risks;
• establish a comprehensive, transparent and accessible privacy policy outlining how personal information is collected, used, stored, and disclosed;
• implement robust data security measures, such as encryption, access controls, and regular audits, to protect personal information from unauthorized access, disclosure, or loss;
• maintain detailed records of personal information handling practices, including consent obtained from individuals, privacy impact assessments, and responses to data breaches;
• ensure contracts with third-party service providers including privacy and data protection clauses;
• honor data subject access and correction requests; and
• provide regular training to all employees on privacy obligations under the DPA.

X. How Securiti Can Help

Securiti emerges as a pivotal catalyst for organizations seeking to navigate and comply with the Philippines’ Data Privacy Act of 2012. Securiti’s robust modules fortify organizations against potential cyber threats and ensure alignment with the Philippines Data Privacy Act of 2012. Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI.

Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.

Frequently Asked Questions (FAQs)