Law: 

The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act')

Regulator: The National Privacy Commission ('NPC') 

Summary: The Act came into effect in 2012 and is the first comprehensive data privacy law
in the Philippines. The NPC was established in 2016 and supplemented the Act through
the Implementing Rules and Regulations of Republic Act No. 10173 ('IRR'), which provides
details on the requirements under the Act as well as sanctions for non-compliance. The NPC
has also released over 100 advisory opinions in response to queries on topics such as data
breach management, notifications regarding automated decision-making, the designation of
data protection officers, Privacy Impact Assessments, and access to personal data. In
addition, the Act Defining Cybercrime, Providing for the Prevention, Investigation,
Suppression and the Imposition of Penalties therefore and for Other Purposes (Republic Act
No. 10175) ('the Cybercrime Law'), which entered into effect in 2012, stipulates, among
other things, requirements for service providers to maintain the security of computer data.
The Philippines recently began the application process in order to participate in the Asia-
Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPR') system.

Legal Bases

1. Consent

The processing of personal data may be permitted if the data subject has given
their consent.

2. Contract with the data subject

The processing of personal information may be permitted if the processing of personal

information is necessary and is related to the fulfilment of a contract with the data
subject, or in order to take steps at the request of the data subject prior to entering into
a contract.

3. Legal obligations

The processing of personal information may be permitted if the processing is necessary

for compliance with a legal obligation to which the PIC is subject.

4. Interests of the data subject

The processing of personal data may be permitted if the processing is necessary to

protect vitally important interests of the data subject, including life and health.

5. Public interest
The processing of personal data may be permitted if the processing is necessary in
order to respond to national emergency, to comply with the requirements of public
order and safety, or to fulfil functions of public authority which necessarily include the
processing of personal data for the fulfilment of its mandate.

6. Legitimate interests of the data controller

The processing of personal information may be permitted if the processing is necessary

for the purposes of the legitimate interests pursued by the PIC or by a third party or
parties to whom the data is disclosed, except where such interests are overridden by
fundamental rights and freedoms of the data subject which require protection under
the Constitution.

7. Legal bases in other instances

For legal bases specific to the processing of sensitive data and privileged information,
please see Section on special categories of personal data below.

Principles

The Act and its IRR provide that a PIC and PIP shall be accountable for complying with
the requirements of the Act, IRR, and NPC Issuances. Particularly, a PIC and PIP shall
adhere to the general principles of data privacy, implement reasonable and appropriate
organisational, physical, and technical security measures for the protection of personal
data, and uphold the rights of data subjects. These security measures should ensure the
availability, integrity, and confidentiality of the personal data being processed.

In general, a PIC and PIP are mandated to adhere to the general principles of
transparency, legitimate purpose, and proportionality. Flowing from these general
principles are those which govern the collection, processing, and retention of personal
data, such that:

 collection must be for a declared, specified, and legitimate purpose;

 personal data shall be processed fairly and lawfully;
 processing should ensure data quality;
 personal data shall not be retained longer than necessary; and
 any authorised further processing shall have adequate safeguards.

Controller and Processor Obligations
Data controller

The PIC shall be responsible for personal data under its control or custody, as well as
personal data outsourced or transferred to a PIP or a third party for processing.
Personal data is generally considered under a PIC's control or custody even when the
personal data is outsourced or transferred to a PIP or third party, whether domestically
or internationally.  Accordingly, it shall use contractual or other reasonable means to
provide a level of protection to personal data comparable to the Act while personal data
is being processed by a PIP or third party. The PIC shall likewise designate an individual
or individuals who shall be accountable for compliance with the aforementioned.

Processor

Similar to a PIC, the PIP shall uphold the rights of the data subject, and implement
adequate organisational, physical, and technical security measures in relation to the
personal data it processes.

The PIP processes personal data on behalf of a PIC and only upon the documented
instructions of the PIC, therefore it cannot process the personal data for its own
purposes or engage another PIP without prior instruction from the PIC. In addition, the
PIP has certain obligations to the PIC under the law.

1. Data processing notification

Pursuant to Sections 46 and 47 of the IRR, the PIC and PIP operating in the Philippines
shall register their data processing systems, defined as structures and procedures by
which personal data is collected and further processed in an information and
communications system or relevant filing system with the NPC in the following
instances:

 the PIC or PIP employs at least 250 employees;

 the processing includes sensitive personal information of at least 1,000
individuals;
 the processing is likely to pose a risk to the rights and freedoms of data subjects;
or
 the processing is not occasional.

Mandatory registration also does not apply to foreign corporations that do not operate
or do business in the Philippines and do not process personal data through data
processing systems operating in the Philippines (AO 2018-043).
In Circular 17-01, however, registration of data processing systems with the NPC was
made mandatory for all government bodies or entities, banks and non-bank financial
institutions, telecommunications networks/internet service providers/other entities
providing similar services, business process outsourcing companies, schools and
training institutions, hospitals, providers of insurance undertakings, direct marketing or
networking business/companies providing reward cards and loyalty programs,
pharmaceutical companies engaged in research, and PIPs processing personal data for
PICs in the above-mentioned areas and data processing systems involving automated
decision-making.

In this regard, the NPC has issued a list of specific sectors, industries, and entities in
which processing will likely pose a risk to the rights and freedoms of data subjects
and/or where processing is not occasional, and therefore require mandatory
registration:

 government branches, bodies, or entities;

 banks and financial institutions;
 telecommunication networks, internet service providers, and other entities or
organisations providing similar services;
 business process outsourcing companies;
 universities, colleges, and other training institutions;
 hospitals;
 insurance providers and brokers;
 direct marketing and networking businesses and companies providing reward
cards and loyalty programmes;
 pharmaceutical companies engaged in research; and
 PIPs processing personal data for a PIC included in the preceding items, and data
processing systems involving automated decision-making.

The contents of registration shall include (Section 47(a) of the IRR):

 the name and address of the personal information controller or personal

information processor, and of its representative, if any, including their contact
details;
 the purpose or purposes of the processing, and whether processing is being done
under an outsourcing or subcontracting agreement;
 a description of the category or categories of data subjects, and of the data or
categories of data relating to them;
 the recipients or categories of recipients to whom the data might be disclosed;
 proposed transfers of personal data outside the Philippines;
 a general description of privacy and security measures for data protection;
  brief description of the data processing system;
 copy of all policies relating to data governance, data privacy, and information
security;
 attestation to all certifications attained that are related to information and
communications processing; and
 name and contact details of the compliance or data protection officer, which shall
immediately be updated in case of changes.

Organisations falling under the registration obligation must do so with the NPC within
two months of the commencement of its processing system (Section 7 of Circular 17-
01). The notification can be completed through a data protection officer ('DPO').
However, where a data controller or data processor has several DPOs, only one may be
authorised to file the notification (Section 8 of Circular 17-01).

Notification of automated processing operations

In addition to the requirement to register data processing systems, a PIC carrying out
any wholly or partly automated processing operations that is intended to serve a single
purpose or several related purposes must also notify the NPC when the automated
processing becomes the sole basis of decision-making about a data subject, and when
the decision would significantly affect the data subject (Sections 46(b) and 48 of the
Implementing Regulations).

This notification shall include the following information (Section 48(a) of the

Implementing Regulations):

 purpose of processing;
 categories of personal data to undergo processing;
 category or categories of data subject;
 consent forms or manner of obtaining consent;
 the recipients or categories of recipients to whom the data are to be disclosed;
 the length of time the data are to be stored;
 methods and logic utilised for automated processing;
 decisions relating to the data subject that would be made on the basis of
processed data or that would significantly affect the rights and freedoms of data
subject; and
 names and contact details of the compliance or data protection officer.

A data controller or data processor that carries out any automated decision-making
operation shall notify the NPC via the mandatory registration process (Section 24 of
Circular 17-01).
Upon request by the NPC, a data controller or data processor shall make available
additional information and supporting documents pertaining to its automated decision-
making operation, including (Section 26 of the Circular):

 consent forms or manner of obtaining consent;

 retention period for the data collected and processed;
 methods and logic utilised for automated processing; and
 possible decisions relating to the data subject based on the processed data,
particularly if they would significantly affect his/her rights and freedoms.

Amendments or updates to registered information, including significant changes in the

description of the data processing system, must be made within two months from the
data such changes take into effect (Section 15 of the Circular).

Registration

A data controller or data processor must register through the NPC's official website in
two phases (Section 9 of the Circular):

Phase I: a data controller or data processor, through its DPO, shall accomplish the
prescribed application form, and submit the same to the NPC together with all
supporting documents. Upon review and validation of the submission, the NPC shall
provide the data controller or data processor via email an access code, which shall allow
it to proceed to Phase II of the registration processes.

Phase II: using the access code, a data controller or data processor shall proceed to the
online registration platform and provide all relevant information regarding its data
processing systems. The NPC shall notify the PIC or PIP via email to confirm the latter's
successful completion of the registration process. Registration may be done in person
at the office of the NPC in the event that online access is not available.

The application for registration filed by a data controller or data processor, which is a
private entity, must be duly notarised and accompanied by the following documents
(Section 10 of the Circular):

 duly notarised Secretary's certificate authorising the appointment or designation

of DPO, or any other document that demonstrates the validity of the appointment
or designation;
 certified true copy of the following documents, where applicable:
o general information sheet or any similar document;
o certificate of registration (or any similar document); and/or
 o franchise, licence to operate, or any similar document.

The NPC announced on, 6 March 2020 that it extended, until 31 August 2020, the
validity of the registration of PICs and PIPs to make way for the new automated system
launched in July 2020 ('the Extension'). The Extension covered the PICs and PIPs that
previously completed at least Phase-I of their NPC registration, while those had not
done so were required to register a DPO immediately. In addition, since 1 July 2020, the
NPC began accepting applications for renewal of registration using the new system.

For queries, DPOs may call the NPC at (02) 8234-2228 local 118, +639101029114 (Smart),
+639652863419 (Globe), or email at mailto:[email protected].

2. Data transfers

Data transfers to third parties, including transfers to an affiliate or parent company,

require the consent of the data subject and, as discussed in section on data subject
rights, the execution of a data sharing agreement or use of a contract or other
reasonable means to provide a comparable level of protection while the personal data
is being processed by the third party.

On the other hand, outsourcing or subcontracting generally does not require the
consent of the data subject but requires the execution of an outsourcing or
subcontracting agreement. In an outsourcing or subcontracting agreement, the PIC shall
use contractual or other reasonable means to ensure that proper safeguards are in
place, to ensure the confidentiality, integrity, and availability of the personal data
processed, prevent its use for unauthorised purposes, and generally, comply with the
requirements of the Act, the IRR, other applicable laws for processing of personal data
and other issuances of the NPC. 

The transfer of personal data to foreign countries is generally permitted, subject to the
relevant provisions of the Act, the IRR and other NPC issuances.

Data localisation

With respect to the private sector, there are currently no data localisation requirements
in the Philippines specifically governing personal data, subject to the applicable
provisions of the Philippines data privacy laws including, among others, the need for
consent of the data subject (as may be necessary) and data transfer requirements.

3. Data processing records

The IRR states that any natural or juridical person or other body involved in the
processing of personal data shall maintain records that sufficiently describe its data
processing system, and identify the duties and responsibilities of those individuals who
will have access to personal data.

4. Data protection impact assessment

The requirement for the conduct of a Privacy Impact Assessment ('PIA') stems from the
duty of the PIC to implement reasonable and appropriate measures intended for the
protection of personal data against any accidental or unlawful destruction, alteration,
and disclosure, as well as against any other unlawful processing. In determining the
appropriate level of security, the PIC must take into account the nature of the personal
information to be protected, the risks represented by the processing, the size of the
organisation, and complexity of its operations, current data privacy best practices, and
the cost of security implementation.

A PIC may require a PIP to conduct a PIA. A PIA should generally be undertaken for
every processing system of a PIC or PIP involving personal data. Nonetheless, the PIC or
PIP may forego the conduct of a PIA but only if it determines that the processing
involves minimal risks to the rights and freedoms of individuals, taking into account
recommendations from the data protection officer ('DPO').

The NPC recommends that a PIA is undertaken as part of any organisation's security
incident management policy (Section 6 of the Circular 16-03). In general, this applies to
every processing system that involves personal data (Advisory 17-03).  Further, the
recommendation of a PIA is applicable to both PICs and PIPs who are primarily
accountable for the conduct of the same.A recommendation for the conduct of a PIA
may also come from the data protection officer ('DPO') of the PIC or PIP (Advisory 17-03)

In addition, a PIA should be conducted for both new and existing systems, programs,
projects, procedures, measures, or technology products that involve or impact
processing personal data. Whereas for new processing systems, a PIA should be
conducted prior to their adoption, use, or implementation. Changes in the governing
law or regulations, or those adopted within the organisation or its industry may likewise
require conducting a PIA, particularly if such changes affect personal data processing
(Advisory 17-03).

There is no prescribed standard or format for a PIA. As such, the PIC or PIP may
determine the structure and form of the PIA that it will use. It is not precluded from
utilising any existing methodology, provided such methodology is acceptable based on
the following criteria: t is not precluded from utilising any existing methodology,
provided such methodology is acceptable based on the following criteria (pages 6 and 7
of the Guidelines):

 it provides a systematic description of the personal data flow and processing

activities of the PIC or PIP, including:
o purpose of the processing, including, where applicable, the legitimate
interest pursued by the PIC or PIP;
o data inventory identifying the types of personal data held by the PIC or PIP;
o sources of personal data and procedures for collection;
o functional description of personal data processing, including a list of all
information repositories holding personal data and their location, and types
of media used for storage;
o transfers of personal data to another agency, company, or organisation,
including transfers outside the country, if any;
o storage and disposal method of personal data;
o accountable and responsible persons involved in the processing of personal
data; and
o existing organisational, physical, and technical security measures; and
 it includes an assessment of the adherence by the PIC or PIP to the data privacy
principles, the implementation of security measures, and the provision of
mechanisms for the exercise by data subjects of their rights under the Act;
 it identifies and evaluates the risks posed by a data processing system to the
rights and freedoms of affected data subjects, and proposes measures that
address them:
o risk identification: risks include natural dangers such as accidental loss or
destruction, and human dangers such as unlawful access, fraudulent
misuse, unlawful destruction, alteration, and contamination;
o risks evaluation based on impact and likelihood: the severity or extent of
the impact of a breach or privacy violation on the rights and freedoms of
data subjects must be determined. The probability of the risk happening
and the sources of such risk should also be taken into consideration; and
o remedial measures: based on an assessment of risks, measures should be
proposed on how to address and manage the said risks; and
 it is an inclusive process, in that it ensures the involvement of interested parties
and secures inputs from the DPO and data subjects.

Exceptions

The PIC or PIP may forego the conduct of a PIA only if it determines that the processing
involves minimal risks to the rights and freedoms of individuals, taking into account
recommendations from the DPO. In making this determination, the PIC or PIP should
consider the size and sensitivity of the personal data being processed, the duration and
extent of processing, the likely impact of the processing to the life of the data subject,
and possible harm in case of a personal data breach (Advisory 17-03).

Documentation and procedurs for review

Notably, a PIA requires documentation and procedures for review. Its results should be
contained in a corresponding report. The PIC or PIP must maintain a record of all its PIA
reports. When a report contains information that is privileged or confidential, the PIC or
PIP may prepare a PIA Summary that can be made available to data subjects upon
request. Other means of communicating the results of the PIA to internal and external
stakeholders should be considered, such as publishing key findings or result summaries
on the PIC or PIP website, through newsletters, annual reports, and other similar
materials (Advisory 17-03).

In regard to conducting a DPIA, the Guidelines provide guidance on how to plan a PIA
(pages 7 to 8 of the Guidelines) and the preparatory activities that should be considered
leading up to a PIA (pages 8 to 9 of the Guidelines).

Furthermore, the PIA Guide details each of the following steps:

 project/system description;
 threshold analysis;
 stakeholder engagement;
 personal data flows;
 impact analysis; and
 risk management.

5. Data protection officer appointment

The IRR states that any natural or juridical person involved in the processing of personal
data must designate an individual(s) who shall function as a DPO and whose role
includes ensuring compliance with the applicable laws and regulations for the
protection of data privacy and security. In addition, to designating an individual or
individuals who are accountable for the organisation’s compliance with the Act, the
controller must also inform data subjects of their identity upon request.

Furthermore, pursuant to Section 26(a) of the IRR, both controllers and processors are
obligated to appoint an individual or individuals to function as DPOs or 'compliance
officers' who will be accountable for ensuring compliance with the relevant privacy and
data protection laws and regulations.
NPC advisory guidance

In certain circumstances, an organisation may appoint a 'Compliance Officer for Privacy'

('COP') in addition to a DPO. A COP is defined in Advisory 2017-01 as someone who
performs some of the functions of a DPO. An organisation in the private sector may
appoint a COP where it has branches, sub-offices or any other component units, in
which case a COP may be appointed for each component unit (Advisory 2017-01).

Furthermore, for the purpose of determining compliance, each natural or juridical

person engaged in the processing of personal data, whether as a controller or
processor, is considered a separate entity. This would require each entity to designate a
separate and distinct DPO, regardless of their relationship under corporation law.
However, requests to designate a common DPO for a group of related companies can
be made to the NPC. Various factors will be taken into account, such as the capacity of
the DPO, the complexity of the processing operations involved, and the volume of
personal data being processes (Advisory 2017-013).

In particular, controllers and processors are advised to comply with the following
guidelines (Advisory 2017-01):

 the DPO or COP should be a full-time or organic employee and ideally retain a
regular or permanent position;
 where the employment of the DPO or COP is based on a contract, the term or
duration thereof should at least be two years to ensure stability;
 the DPO or COP should act independently in the performance of their functions
and enjoy a sufficient degree of autonomy;
 the DPO or COP should not receive direct instructions from the controller or
processor regarding the exercise of their tasks; and
 the DPO or COP may perform other tasks or functions or may already hold a
position within the organisation, provided that such tasks or functions do not give
rise to any conflict of interest.

Finally, there is no explicit prohibition on outsourcing or subcontracting the functions of

the DPO or COP. However, the NPC's prescription that a DPO or COP should be a full-
time or organic employee of the organisation is premised on the important principle
that the DPO or COP is expected to fulfil certain functions vis-à-vis  the organisation. The
fact that the DPO or COP is not an employee therefore does not allow to the
organisation to deny accountability where the DPO or COP fails to comply with the
relevant privacy and data protection laws and regulations (Advisory 2017-019).
As an exception and subject to the approval of the NPC, a group of related companies
may, instead of appointing individual DPOs, appoint or designate the DPO of one of its
members to be primarily accountable for ensuring the compliance of the entire group
with all data protection policies; however, the individual members of the group shall
instead appoint a Compliance Officer for Privacy ('COP'), which refers to an individual(s)
who will perform some of the functions of a DPO. Private entities with branches, sub-
offices, and other components units may also appoint or designate a COP for each
component unit.

Contact details of the DPO

The name and contact details of the DPO or any other individuals accountable for
ensuring compliance with the relevant laws must be kept on record (Section 26(c)(5) of
the IRR). In particular, to ensure the relevant stakeholders (e.g. the NPC, data subjects,
etc.) can easily, directly and confidentially contact the DPO or COP, their contract details
must be published on the organisation's website, privacy notice, privacy policy, and
privacy manual or guide (Advisory 17-01). The contact details of the DPO and CPO
should include (Advisory 17-01):

 title or designation;
 postal address;
 a dedicated telephone number; and
 a dedicated email address.

The role and professional qualifications

A DPO's duties and responsibilities include (Advisory 2017-01):

 monitoring the controller or processor's compliance with the Act, the IRRs,
issuances by the NPC, and other applicable laws and policies. For this purpose,
the DPO may:
o collect information, and maintain a record of, regarding processing
operations, activities, measures, projects, programmes, or systems;
o analyse and check the compliance of processing activities, including the
issuance of security clearances to, and compliance by, third party service
providers;
o inform, advise, and issue recommendations to the controller or processor;
o ascertain and renew the accreditations or certifications necessary to
maintain the required standards in personal data processing; and
 o advise the controller or processor regarding the necessity of executing a
data sharing agreement with third parties and ensure its compliance with
the law;
 ensuring the conduct of PIA in relation to the identified activities, measures,
projects, programmes, or systems;
 advising the controller or processor regarding complaints as well as the exercise
of data subject rights;
 ensuring proper data breach and security incident management by the controller
or processor, including ensuring the preparation and submission of reports and
other documentation to the NPC within the prescribed period;
 informing and cultivating awareness on privacy and data protection within the
organisation, including all relevant laws, rules, and regulations and issuances of
the NPC;
 advocating for the development, review, and/or revision of policies, guidelines,
projects, and/or programmes of the controller or processor relating to privacy and
data protection by adopting a Privacy by Design approach;
 serving as the point of contact for data subjects, the NPC, and other authorities in
all matters concerning data privacy or security issues or concerns as well as the
controller or processor;
 cooperating, coordinating, and seeking advice of the NPC regarding matters
concerning data privacy and security; and
 performing other duties and tasks that may be assigned by the controller or
processor that will further the interest of data privacy and security and uphold the
rights of the data subjects.

As for the functions of a CPO, Advisory 2017-01 stipulates that the CPO will undertake
all of the above duties, except for monitoring the controller or processor's compliance,
ensuring the conduct of PIAs, and advising on complaints and data subject rights.

In regard to professional qualifications, Advisory 2017-01, DPOs should possess

specialised knowledge and demonstrate reliability necessary for their duties. This
includes having expertise in relevant privacy or data protection policies and practices as
well as possessing a sufficient understanding of the processing operations being carried
out by the controller or processor, including information systems, data security, and/or
data protection needs. Knowledge of the sector or field of the entity, and the
organisation's internal structure, policies, and processes is also considered useful.
Furthermore, in relation to COPs, the minimum qualifications required should be
proportionate to their functions.

Obligations of the data controller and data processor

In relation to the DPO or COP, the data controller and data processor should (Advisory
17-01):

 effectively communicate to its personnel, the designation of the DPO or COP and
their functions;
 allow the DPO or COP to be involved from the earliest stage possible in all issues
relating to privacy and data protection;
 provide sufficient time and resources (e.g. financial, infrastructure, equipment,
training, and staff) necessary for the DPO or COP to keep updated with the
developments in data privacy and security and to carry out their tasks effectively
and efficiently;
 grant the DPO or COP appropriate access to the personal data it is processing,
including the processing systems;
 where applicable, invite the DPO or COP to participate in meetings of senior and
middle management to represent the interest of privacy and data protection;
 promptly consult the DPO or COP in the event of a personal data breach or
security incident; and
 ensure that the DPO or COP is made a part of all relevant working groups that
deal with personal data processing activities conducted inside the organisation or
with other organisations.

However, in the interest of ensuring autonomy and independency, a data controller or

processor should not directly or indirectly penalise or dismiss the DPO or COP for
performing their tasks. This includes even the mere threat of penalty as this may have
the effect of impeding or preventing the DPO or COP from performing their tasks.
However, nothing shall preclude the legitimate application of labour, administrative,
civil or criminal laws against the DPO or COP, based on just or authorised grounds
(Advisory 17-01).

6. Data breach notification

A PIC must notify the NPC and the affected data subjects upon knowledge that a
personal data breach requiring notification has occurred.

The following conditions determine when a personal data breach requires notification:

 the personal data involves sensitive personal information or any other

information that may be used to enable identity fraud;
 there is reason to believe that the information may have been acquired by an
unauthorised person; and
  the PIC or the NPC believes that the unauthorised acquisition is likely to give rise
to a real risk of serious harm to any affected data subject. 

Furthermore, the notification shall be subject to the following procedures:

 the PIC is generally required to notify the NPC and the affected data subject(s),
within 72 hours from the knowledge of, or when there is reasonable belief by the
PIC or PIP that, a personal data breach requiring notification has occurred;
 the notification shall describe, among others, the nature of the breach, the
personal data likely to have been involved, and measures taken by the entity to
address the breach; and
 the notification shall be submitted to the NPC through written or electronic form,
and shall include, among others, the name and contact details of the DPO and a
designated representative of the PIC.

Annual Security Incident Reportorial Requirement

To ensure compliance with data privacy laws and to strengthen the monitoring of
threats and vulnerabilities that may affect personal data protection, the NPC requires
PICs and PIPs to submit an annual report summarising all security incidents and
personal data breaches. The annual report should contain all security incidents and
personal data breaches of a PIC and PIP from 1 January to 31 December of the
preceding year. In addition, it should include a summary of every breach incident and
the aggregate number of non-breach incidents.

7. Data retention

Personal data shall not be retained in perpetuity in contemplation of a possible future

use yet to be determined. Retention of personal data shall only be for as long as
necessary:

 for the fulfilment of the declared, specified, and legitimate purpose, or when
processing for the purpose has been terminated;
 for the establishment, exercise, or defence of legal claims; or
 for legitimate business purposes, which must be consistent with standards
followed by the applicable industry or approved by the appropriate government
agency.

Nonetheless, retention of personal data shall be allowed in cases provided by law.

8. Children's data
The NPC has stated that children merit specific protection with regard to their personal
data, as they may be less aware of the risks, consequences, and safeguards concerned
and their rights in relation to the processing of personal data. In NPC Advisory Opinion
No. 2017-49: Teachers right to search a minor students cellular phone and NPC Advisory
Opinion No. 2019-46: Inter-agency council against trafficking (IACAT) request for
information with the Philippine Statistics Authority (PSA), the NPC explained that a
minor cannot validly provide the consent needed under the Act. Hence, before the
personal data of minors may be lawfully processed, the consent of their parents or legal
guardians should first be obtained. Absent such consent, the processing of a minor's
personal data must have a lawful basis under existing laws, rules, or regulations.

9. Special categories of personal data

The processing of sensitive data and privileged information shall be prohibited, except
in the following cases:

 the data subject has given their consent, specific to the purpose prior to the
processing, or in the case of privileged information, all parties to the exchange
have given their consent prior to processing;
 the processing of the same is provided for by existing laws and regulations
provided that such regulatory enactments guarantee the protection of the
sensitive personal information and the privileged information, and provided
further, that the consent of the data subjects are not required by law or regulation
permitting the processing of the sensitive personal information or the privileged
information;
 the processing is necessary to protect the life and health of the data subject or
another person, and the data subject is not legally or physically able to express
their consent prior to the processing;
 the processing is necessary to achieve the lawful and non-commercial objectives
of public organisations and their associations provided that such processing is
only confined and related to the bona fide members of these organisations or
their associations, provided further, that the sensitive personal information are
not transferred to third parties, and provided finally, that consent of the data
subject was obtained prior to processing;
 the processing is necessary for purposes of medical treatment, is carried out by a
medical practitioner or a medical treatment institution, and an adequate level of
protection of personal data is ensured; or
 the processing concerns such personal information as is necessary for the
protection of lawful rights and interests of natural or legal persons in court
proceedings, or the establishment, exercise, or defence of legal claims, or when
provided to government or public authority.
10. Controller and processor contracts

Agreements for the processing of personal data may be in the form of data sharing
arrangements, outsourcing, or subcontracting arrangements.

Data sharing refers to disclosures or transfers of personal data by PICs or PIPs to third
parties. If such disclosure is made by a PIP, such must have been upon the instruction
of the PIC concerned.  In contrast, outsourcing or subcontracting refers to disclosures or
transfers of personal data by PICs to PIPs, in order for the latter to process the data
according to the instructions of the PICs. 

Data sharing may be covered by a data sharing agreement or a similar document

containing the terms and conditions of the sharing arrangement. Data sharing for
commercial purposes must be covered by a data sharing agreement, which shall
establish adequate safeguards for data privacy and security in order to uphold the
rights of data subjects. Outsourcing or subcontracting arrangements must likewise be
governed by a contract or other legal act that binds the PIP to the PIC, and must set out,
among others, the subject matter and duration of the processing, the nature and
purpose of the processing, the type of personal data and categories of data subjects,
the obligations and rights of the PIP, and the geographic location of the processing
under the subcontracting agreement. 

Penalties

Any natural or juridical person, or other body involved in the processing of personal
data who fails to comply with the Act, the IRR, or other issuances of the NPC and found
to have committed a violation of the Act and its IRR may be subject to administrative,
civil, and criminal liabilities.

The penalties provided in the Act and its IRR range from six months to seven years of
imprisonment, together with fines ranging from PHP 100,000 (approx. €1,700) to PHP 5
million (approx. €87,100) based on whether personal information or sensitive personal
information is involved. Moreover, additional penalties may apply depending on the
identity of the offender and the number of affected data subjects.

If the offender is a corporation, partnership, or any other juridical person, the penalty
shall be imposed upon the responsible officers who participated in, or by their gross
negligence, allowed the commission of the crime. If the offender is an alien, he or she
shall be deported without further proceedings after serving the penalties prescribed.

Enforcement decisions
Pursuant to its authority to compel any entity to abide by its orders on a matter of data
privacy, the NPC has issued decisions, resolutions, and orders to various entities, which
are published on its website.  We discuss below some of these enforcement decisions.

Decisions

The NPC has issued decisions on complaints of privacy violations, directing or advising
the concerned PIC to:

 revise its daily time record system and PIA to reflect and address compliance gaps
brought about by actual, current practices and as identified in the letter-complaint
(NPC CID Case No. 17-K-003);
 submit the designation of DPO/ CPO, a copy of its Security Incident Management
Policy, including documents demonstrating the creation of its Breach Response
Team as well as the dissemination of the Security Incident Management Policy,
and the complete Post-Breach Report on the management of a Personal Data
Breach (NPC CID Case No. 17-002);
 act on a request for correction of a data subject's account, which had not been
addressed, and provide assistance to the affected data subject to ensure that he
is able to exercise his rights in accordance with the law (CID No. 17-K-004);
 furnish, among others, proof of its on-boarding a data privacy consultant, proof of
registration with the NPC, a copy of its Data Privacy Manuals and Privacy Notice;
proof of its conduct of data privacy awareness and trainings for its employees
(NPC 18-103);
 submit a complete report on the measures it has undertaken or will undertake to
address the issue of delayed response to their customers' request in relation to
their rights as data subjects (CID 17-K-004);
 furnish the complainant with the name of the recipient of her personal
information in compliance with Section 16(c)(3) of the Act, and pay nominal
damages for violation of the complainant's right to access (NPC 19-653); and
 pay nominal damages for failure to fulfil its obligation as a PIC to ensure that the
information of the data subject is kept up to date, resulting in the processing of
inaccurate information (NPC 21-086).

Resolutions

The NPC has issued resolutions confirming or advising that:

 PICs and PIPs that practice larger-scale and higher-risk type of processing are
expected to provide data subjects with clear, concise, intelligible, and easy to
understand information to guide and provide the data subjects with a clear
 picture and genuine choice about their use of their personal data to comply with
the principle of transparency (NPC Case No. 17-001);
 the on-site examination in the Rules of Procedure of the NPC is not mandatory,
and is discretionary to the investigating officer (NPC Case No. 17-003); and
 the technical security measures employed by a PIC telecommunication company
are sufficient to prevent, correct, and mitigate security incidents that can lead to a
personal data breach; however, it should hold its personnel accountable when
there is delay on the deactivation and replacement of SIM cards to ensure strict
compliance with its privacy policies and procedures and prevent similar incidents
in the future (NPC Case No. 17-K-001).

Orders

The NPC has issued orders directing the concerned PIC to:

 notify all data subjects of an unauthorised online publication of the PIC's website
database and to explain why further action should not be taken against the PIC
for failure to notify the data subjects of the occurrence of a data breach within the
required 72-hour period (Commission-Issued Order CIDBN No. 18-058 on Wendy’s
Restaurant, Inc (PRO) Data Breach);
 suspend the PIC's food delivery website and to submit a security plan to address
data privacy concerns discovered during a vulnerability assessment conducted by
the NPC (Commission-Issued Order CIDBN No. 17-043 on Jollibee Foods
Corporation);
 submit a comprehensive data breach notification report and to notify affected
data subjects, in accordance with Circular 16-03, and to establish a help desk for
Filipino users on data privacy matters (Commission-Issued Order CIDBN No. 18-J-
162 on Facebook Forced Logout);
 cease and desist from implementing the PIC's pilot test and plans to roll out three
new data processing systems because of deficiencies in the systems’ risk
assessment and mitigation, insufficient PIA and privacy notice, and the unclear
purpose behind the data processing (NPC CC 20-001 In re: Grab Philippines);
 cease and desist from the processing of personal data in its possession until the
NPC issues a decision on its comment (In Re: Lisensya.info); and
 cease and desist from the processing of personal data in its database until the
NPC issues a decision on its comment (Commission-Issued CID-CDO-21-003 on
PiliPinas2022.ph).