Data Privacy Act of the Philippines

Implementing Rules and Regulation of RA 10173 known as the “Data Privacy Act of 2012”
Pursuant to the mandate of national privacy commission to administer and implement the
provisions of the data privacy act of 2012, and to monitor and ensure compliance of the country with
international standards set for data protection, the following rules and regulations are hereby promulgated
to effectively implement the provisions of the act

Rule IV. Data Privacy Principles.

Section 17. General data privacy principles. The processing of personal data shall be allowed, subject to
compliance with the requirements of the act and other laws allowing disclosure of information to the
public, and adherence to the principles of transparency, legitimate purpose and proportionality

Section 18. Principles of transparency, legitimate purpose and proportionality. The processing of data
shall be allowed subject to adherence to the principles of transparency, legitimate purpose and
proportionality.
A. Transparency. The data subject must be aware of the nature, purpose, and extent of the
processing of his or her personal data, including the risk and safeguards involved, the identity
of personal information controller, his or her rights as a data subject, and how these can be
exercised. Any information and communication relating to the processing of personal data
should be easy access and understand, using clear and plain language.
B. Legitimate Purpose. The processing of information shall be compatible with a declared and
specified purpose which must not be contrary to law, morals or public policy.
C. Proportionality. The processing of information shall be adequate, relevant, suitable,
necessary, and not excessive in relation to a declared and specified purpose. Personal data
should be processed only if the purpose of the processing could not be reasonably be fulfilled
by other means.
Section 19. General principles in collection, processing and retention.
The processing of personal data shall adhere, to the following general principles in the collection,
processing and retention of personal Data.
A. Collection must be declared, specified and legitimate purpose
B. Personal data shall be processed fairly and lawfully
C. Processing should ensure data quality
D. Personal data shall be not retained longer than necessary
E. Any authorized further processing shall have adequate safeguards.

Rule VI. Security Measures for the protection of personal data.

 Section 25. Data privacy and security. Personal information controllers and personal
information processors shall implement reasonable and appropriate organizational, physical and technical
security measures for the protection of personal data. The personal information controller personal
information processor shall take steps to ensure that any natural person acting under their authority and
who has accessed to personal data, does not process them except upon their instructions, or as required by
law. The security measures shall aim to maintain the availability, integrity and confidentiality of personal
data and are intended for the protection of personal data against any accidental or unlawful destruction,
alteration and disclosure, as well as against other unlawful processing. These measures shall be
implemented to protect personal data against natural dangers such as accidental loss or destruction, and
human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and
contamination.

Section 26. Organizational Security Measures. Where appropriate, personal information

controllers and personal information processors shall comply with the following guidelines for
organizational security.
a. Compliance officers
b. Data protection policies
c. Records of processing activities
d. Management of human resources
e. Processing of personal Data.

Section 27. Physical security measure. Where appropriate, personal information controllers and
personal information processors shall comply with the following guidelines for physical security.
A. Policies and procedures shall be implemented to monitor and limit access to and activities in
the room; workstation or facility, including guidelines that specify the proper use of and
access to electronic media
B. Design of office space and workstation, including the physical arrangement of furniture and
equipment, shall provide privacy to anyone processing personal data, talking into
consideration the environment and accessibility to the public
C. The duties, responsibilities and schedule of individuals involved in the processing of personal
data shall be clearly defined to ensured that only individuals actually performing official
duties shall be in the room or work station, at any given time
D. Any natural or judicial person or other body involved in the processing of personal data shall
implement policies and procedures regarding the transfer, removal, disposal, and re-use of
electronic data, to ensure appropriate protection of personal data
E. Policies and procedures that prevent the mechanical destruction of files and equipment shall
be established. The room and workstation used in the processing of personal data shall, as far
as practicable, be secured against natural disasters, power disturbances, external access, and
other similar threats.

Rule VIII. Rights of Data Subjects

Section 34. Rights of the Data Subject. The data subject is entitled to the following rights:
a. Right to be informed.

1. The data subject has a right to be informed whether personal data pertaining to him or her shall
be, are being, or have been processed, including the existence of automated decision-making and
profiling.

2. The data subject shall be notified and furnished with information indicated hereunder before
the entry of his or her personal data into the processing system of the personal information controller, or
at the next practical opportunity:

(a) Description of the personal data to be entered into the system;

(b) Purposes for which they are being or will be processed, including processing for
direct marketing, profiling or historical, statistical or scientific purpose;

(c) Basis of processing, when processing is not based on the consent of the data subject;

(d) Scope and method of the personal data processing;

(e) The recipients or classes of recipients to whom the personal data are or may be
disclosed;

(f) Methods utilized for automated access, if the same is allowed by the data subject, and
the extent to which such access is authorized, including meaningful information about the logic
involved, as well as the significance and the envisaged consequences of such processing for the
data subject;

(g) The identity and contact details of the personal data controller or its representative;

(h) The period for which the information will be stored; and

(i) The existence of their rights as data subjects, including the right to access, correction,
and object to the processing, as well as the right to lodge a complaint before the Commission.

b. Right to object. The data subject shall have the right to object to the processing of his or her personal
data, including processing for direct marketing, automated processing or profiling. The data subject shall
also be notified and given an opportunity to withhold consent to the processing in case of changes or any
amendment to the information supplied or declared to the data subject in the preceding paragraph.

When a data subject objects or withholds consent, the personal information controller shall no longer
process the personal data, unless:

1. The personal data is needed pursuant to a subpoena;

2. The collection and processing are for obvious purposes, including, when it is necessary for the
performance of or in relation to a contract or service to which the data subject is a party, or when
necessary or desirable in the context of an employer-employee relationship between the collector and the
data subject; or

3. The information is being collected and processed as a result of a legal obligation.

c. Right to Access. The data subject has the right to reasonable access to, upon demand, the following:

1. Contents of his or her personal data that were processed;

2. Sources from which personal data were obtained;

3. Names and addresses of recipients of the personal data;

4. Manner by which such data were processed;

5. Reasons for the disclosure of the personal data to recipients, if any;

6. Information on automated processes where the data will, or is likely to, be made as the sole
basis for any decision that significantly affects or will affect the data subject;

7. Date when his or her personal data concerning the data subject were last accessed and
modified; and

8. The designation, name or identity, and address of the personal information controller.

d. Right to rectification. The data subject has the right to dispute the inaccuracy or error in the personal
data and have the personal information controller correct it immediately and accordingly, unless the
request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal
information controller shall ensure the accessibility of both the new and the retracted information and the
simultaneous receipt of the new and the retracted information by the intended recipients thereof:
Provided, That recipients or third parties who have previously received such processed personal data shall
be informed of its inaccuracy and its rectification, upon reasonable request of the data subject.

e. Right to Erasure or Blocking. The data subject shall have the right to suspend, withdraw or order the
blocking, removal or destruction of his or her personal data from the personal information controller’s
filing system.

1. This right may be exercised upon discovery and substantial proof of any of the following:

(a) The personal data is incomplete, outdated, false, or unlawfully obtained;

(b) The personal data is being used for purpose not authorized by the data subject;

(c) The personal data is no longer necessary for the purposes for which they were
collected;

(d) The data subject withdraws consent or objects to the processing, and there is no other
legal ground or overriding legitimate interest for the processing;
 (e) The personal data concerns private information that is prejudicial to data subject,
unless justified by freedom of speech, of expression, or of the press or otherwise authorized;

(f) The processing is unlawful;

(g) The personal information controller or personal information processor violated the
rights of the data subject.

https://www.privacy.gov.ph/implementing-rules-regulations-data-privacy-act-2012/#34