8.

6 Data Privacy Act (RA 10173)

“It is the policy of the State to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and growth.”
8.6.1 Definitions

Commission - National Privacy Commission (NPC)

Consent of the data subject - any freely given, specific, informed indication of will, whereby the data subject agrees
to the collection and processing of personal information about and/or relating to him or her
evidenced by written, electronic or recorded means.
may also be given. on behalf of the data subject by an agent specifically authorized by the data subject to do so
Data subject - an individual whose personal information is processed
Direct marketing - communication by whatever means of any advertising or marketing material which is directed to
particular individuals.
Filing system - any act of information relating to natural or juridical persons to the extent that, although the
information is not processed by equipment operating automatically in response to instructions given for that
purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals,
in such a way that specific information relating to a particular person is readily accessible
Information and Communications System - a system for generating, sending, receiving, storing or otherwise
processing electronic data messages or electronic documents and includes the computer system or other
similar device by or which data is recorded, transmitted or stored and any procedure related to the
recording, transmission or storage of electronic data, electronic message, or electronic document.

Personal information - any information whether recorded in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when
put together with other information would directly and certainly identify an individual.
Personal information controller (PIC)

I a person or organization who controls the collection, holding, processing or use of personal information
including a person or organization who instructs another person or organization to collect, hold,
process, use, transfer or disclose personal information on his or her behalf
A person or organization who performs such functions as instructed by another person or organization; and
Excludes: An individual who collects, holds, processes or uses personal information in connection with the individual’s
personal, family or household affairs
Personal information processor - any natural or juridical person qualified to act as such, to whom a personal
information controller may outsource the processing of personal data pertaining to a data subject
Processing - any operation or any set of operations performed upon personal information including, but not limited
to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data
Privileged information - any and all forms of data which under the Rules of Court and other pertinent laws constitute
privileged communication
Sensitive personal information - personal information

About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations

About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense
committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of
any court in such proceedings

Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers,
previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns

Specifically established by an executive order or an act of Congress to be kept classified

 Profiling - any form of automated processing of personal data consisting of the use of personal data to evaluate
certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that
natural person’s performance at work, economic situation, health, personal preferences, interests, reliability,
behavior, location or movements
an event or occurrence that affects or tends to affect data protection
Security incident ~ may compromise the availability, integrity and confidentiality of personal data
T
incidents that would result to a personal data breach, if not for safeguards that have been put in place

8.6.2 Scope of application

The natural or juridical person involved in the processing of personal data is found or established in the Philippines
The act, practice or processing relates to personal data about a Philippine citizen or Philippine resident
The processing of personal data is being done in the Philippines
The act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with
due consideration to international law and comity
• Use of equipment located in the country, or maintains an office, branch or agency in the Ph for processing of personal data
• A contract is entered in the Ph;
• A juridical entity unincorporated in the Ph but has central management and control in the country
• has a branch, agency, office or subsidiary in the Ph and the parent or affiliate of the Ph entity has access to personal data
• carries on business in the Ph
• collects or holds personal data in the Ph
Does not apply to the fact that the individual is or was an officer or employee
title, office address, and office telephone number
1. officer/employee of government classification, salary range, and responsibilities
his/her name on a document he or she prepared in the
2. performing a service under contract for a government institution
3. a benefit of a financial nature conferred on an individual upon the discretion of the government, such as
the granting of a license or permit, including the name of the individual and the exact nature of the benefit
 4. processed for journalistic, artistic or literary purpose
5. research purpose
6. information necessary in order to carry out the functions of public authority
7. banks, other financial institutions
8. originally collected from residents of foreign jurisdictions

Protection Afforded to Journalists and Their Sources

Nothing in this Act shall be construed as to have amended or repealed the provisions of RA No. 53 “Press Freedom
Law”, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical
of general circulation protection from being compelled to reveal the source of any news report or information
appearing in said publication which was related in any confidence to such publisher, editor, or reporter

8.6.3 Data Privacy Principles

The processing of personal data shall be allowed, subject to
compliance with the requirements of DPA and other laws allowing disclosure of information to the public, and
adherence to the principles of transparency, legitimate purpose, and proportionality

Transparency
the nature, purpose, and extent of the processing of his or her personal data
The data subject must be aware of including the risks and safeguards involved
identity of personal information controller
his or her rights as a data subject, and how these can be exercised

“Any information and communication relating to the processing of personal data

should be easy to access and understand, using clear and plain language”
 Legitimate purpose
The processing of information shall be compatible with a declared and specified purpose
which must not be contrary to law, morals, or public policy

Proportionality adequate
relevant
processing of information shall be
suitable
necessary
not excessive

General principles in collection, processing and retention

Collection must be for a declared, specified, and legitimate purpose
Personal data shall be processed fairly and lawfully
Processing should ensure data quality
Personal Data shall not be retained longer than necessary
Any authorized further processing shall have adequate safeguards

8.6.4 Processing of personal data

any operation or any set of operations performed upon personal information including, but not limited to:
• collection • consultation
• recording • use
• organization • consolidation
• storage • blocking
• updating or modification • erasure or
• retrieval • destruction of data
 when alone or taken together, can identify you
Criteria for Lawful Processing of Personal Information

with consent
necessary and is related to the fulfillment of a contract
for compliance with a legal obligation to which the PIC is subject
to protect vitally important interests of the data subject, including life and health
in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill
functions of public authority
for the purposes of the legitimate interests pursued by the PIC or by a third party or parties to whom the data is
disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject
which require protection under the Philippine Constitution

can be used to:

• discriminate
• humiliate
• identify (government info) Attorney-client privileged information
• classified confidential (i.e., birth certificate) Doctor-patient privileged information
Sensitive Personal Information and Privileged Information Marital privilege communication
priest-confession privileged information
processing of sensitive personal information and privileged information shall be prohibited, except in the following cases

with consent
provided for by existing laws and regulations and the data subject is not legally or physically able
to express his or her consent prior to the processing
protect life and health of the data subject or another person
to achieve the lawful and noncommercial objectives of public organizations and their associations
for purposes of medical treatment (medical practitioner or a medical treatment institution) a
protection of lawful rights and interests of natural or legal persons in court proceedings, or the
establishment, exercise or defense of legal claims, or when provided to government or public authority
8.6.5 Security measures for protection of personal data

Data Privacy and Security Personal information controllers (PIC) and personal information processors (PIP) shall:
organizational
implement reasonable and appropriate physical security measures for the protection of personal data
technical
OPT
availability
The security measures shall aim to maintain integrity
confidentiality accidental or unlawful destruction
protection against alteration
1. Organization Security disclosure
other unlawful processing
a. Compliance Officers - accountable for ensuring compliance with applicable laws and regulations for
the protection of data privacy and security

b. Data Protection Policies

the time of the determination of the means for processing
data protection principles both at the time of the processing itself
amount of personal data collected
appropriate security measures extent of processing involved
the period of their storage
accessibility

documentation, regular review, evaluation, and updating of the privacy and security policies and practices
c. Records of Processing Activities
purpose of the processing of personal data, including any intended future processing or data sharing
all categories of data subjects
description
personal data
recipients of such personal data
general information about the data flow within the organization
from the time of collection, processing, and retention, including the time limits for disposal or erasure of personal data

general description of the organizational, physical, and technical security measures

name and contact details of the PIC and, where applicable, the joint controller, the its representative,
and the compliance officer or Data Protection Officer, or others
d. Management of Human Resources
Any natural or juridical person or other entity involved in the processing of personal data shall be
responsible for selecting and supervising its employees, agents, or representatives, particularly those who
will have access to personal data.
e. Processing of Personal Data
to ensure that it is only to the extent necessary for the
procedures for the collection
declared, specified, and legitimate purpose
procedures that limit the processing of data
policies for access management, system monitoring, and protocols to follow during security incidents or
technical problems;
policies and procedures for data subjects to exercise their rights under the DPA
data retention schedule, including timeline or conditions for erasure or disposal of records.
f. Contracts with Personal Information Processor
It shall only engage those personal information processors that provide sufficient guarantees to implement
appropriate security measures and ensure the protection of the rights of the data subject
2. Physical Security Measures

policies and procedures shall be implemented to monitor and limit access to and activities in the room,
workstation or facility, including guidelines that specify the proper use of and access to electronic media
design of office space and work stations, including the physical arrangement of furniture and equipment
duties, responsibilities and schedule of individuals involved in the processing of personal data
ensure that only the individuals actually performing official duties shall be in the room or work station, at any given time
policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media
policies and procedures that prevent the mechanical destruction of files and equipment
secured against natural disasters, power disturbances, external access, and other similar threats

3. Technical Security Measures

security policy for processing of personal data

accidental which will affect data integrity
to protect their computer network unlawful or unauthorized usage or hinder the functioning or
Safeguards any interference availability of the system
unauthorized access through an electronic network
ensure and maintain the confidentiality, integrity, availability, and resilience of their processing systems and services
regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable
vulnerabilities in their computer networks, and for taking preventive, corrective, and mitigating action against
security incidents that can lead to a personal data breach
ability to restore the availability and access to personal data in a timely manner in the event of a physical or
technical incident
process for regularly testing, assessing, and evaluating the effectiveness of security measures
encryption of personal data during storage and while in transit, authentication process, and other technical security
measures that control and limit access.
Security of Sensitive Personal Information in Government

Requirements Relating to Access by Agency Personnel to Sensitive Personal Information

On-site and Online Access government agency who originally collected the personal data

no employee of the government shall have access to sensitive personal received a security clearance from
information on government property or through online facilities unless the head of the source agency
source agency shall strictly regulate access to sensitive personal information under its custody or control, particularly
when it allows online access
where allowed, online access to sensitive personal information shall be subject to the following conditions:
an information technology governance framework has been designed and implemented
sufficient organizational, physical and technical security measures have been established
the agency is capable of protecting sensitive personal information in accordance with data privacy practices and
standards recognized by the information and communication technology industry
the employee of the government is only given online access to sensitive personal information necessary for the
performance of official functions or the provision of a public service.
Off-site access request be submitted to and approved by the head of agency and must
include proper accountability mechanisms in the processing of data
Sensitive personal information may not be transported or accessed from a location off or outside of government
property, whether by its agent or employee, unless the head of agency has ensured the implementation of privacy
policies and appropriate security measures
2 business days
Deadline for Approval
.
or Disapproval
if no action - request is considered disapproved
.
Limitation of access to not more than 1,000 records at a time
-

Any technology used to store, transport or access sensitive personal information

secured by the use of the most secure encryption standard recognized by the Commission
8.6.6 Rights of Data Subject natural persons lang, ALWAYS.
informed
rectification
In ReD OA Era
damages
object
access
erasure or blocking

a. Right to be informed

whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence
of automated decision-making and profiling
notified and furnished before the entry of his or her personal data into the processing system of the PIC
• description
• purposes, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
• basis of processing, if there’s no consen
• scope and method of data processing
• recipients or classes of recipients to whom the personal data are or may be disclosed;
• methods utilized for automated access, if the same is allowed by the data subject, and the extent to which
such access is authorized
• identity and contact details of the personal data controller or its representative
• period for which the information will be stored
• existence of their rights as data subjects right to access
correction
including
object to the processing
right to lodge a complaint before the Commission
b. Right to object

to the processing of his or her personal data, including processing for direct marketing, automated
processing or profiling
When a data subject objects or withholds consent, the PIC shall no longer process the personal data, unless:
needed pursuant to a subpoena
for obvious purposes for the performance of or in relation to a contract or service (DS is a party)
employer-employee relationship between the collector and the data subject
as a result of a legal obligation

c. Right to Access upon demand:

• contents
• sources
• names and addresses of recipients
• manner by which such data were processed
• reasons for the disclosure, if any
• information on automated processes where the data will, or is likely to, be made as the sole basis for any
decision that significantly affects or will affect the data subject;
• date when his or her personal data concerning the data subject were last accessed and modified
• designation, name or identity, and address of the PIC
d. Right to rectification

The data subject has the right to dispute the inaccuracy or error in the personal data and have the PIC
correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable
cause harassment, annoyance, frustration, worry, or even bring financial cost

PIC ensure the accessibility of both the new and the retracted informationthe simultaneous
receipt of the new and the retracted information by the intended recipients

“recipients or third parties who have previously received such processed personal data shall be
informed of its inaccuracy and its rectification, upon reasonable request of the data subject”
 suspend
e. Right to Erasure or Blocking
withdraw
of his or her personal data from the personal
order the blocking
may be exercised upon discovery and information controller’s filing system
removal
substantial proof of any of the ff: destruction
incomplete, outdated, false, or unlawfully obtained unless justified by freedom of
used for purpose not authorized by the data subject speech, of expression, or of the
no longer necessary for the purposes for which they were collected press or otherwise authorized;
no other legal ground or overriding legitimate interest for the processing
concerns private information that is prejudicial to data subject
unlawful
PIC or PIC violated the rights of the data subject.

f. Right to damages
The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated,
false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or
her rights and freedoms as data subject.
Transmissibility of Rights of the Data Subject
The lawful heirs and assigns of the data subject may invoke the rights of the data subject to which he
or she is an heir or an assignee, at any time after the death of the data subject, or when the data
subject is incapacitated or incapable of exercising the rights
Right to Data Portability
electronic means or
right to obtain a copy structured format that is commonly used
further use by the data subject

The Commission may specify the electronic format, as well as the technical
standards, modalities, procedures and other rules for their transfer.
 • no activities are carried out
Non-Applicability of Rights
• no decisions are taken regarding the DS
The above rights of a data subject are not applicable:
used only for the needs of scientific and statistical research and, on the basis of such
gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a DS

“personal information shall be held under strict confidentiality and shall be used only for the declared purpose”

8.6.7 Data breach notification

upon knowledge or
notification with 72 hours
reasonable belief that a personal data breach requiring notification has occurred
by PIC or PIP
to Commission and affected data subjects
sensitive personal information or any other information that may be used to enable
required when: identity fraud are reasonably believed to have been acquired by an unauthorized person
PIC or the Commission believes that such unauthorized acquisition is likely to give rise to
a real risk of serious harm to any affected data subject
“Depending on the nature of the incident, or if there is delay or failure to notify, the Commission may investigate the
circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures.”

describe the nature of the breach

Contents the personal data possibly involved
measures taken by the entity to address the breach

The notification shall also include measures taken to reduce the harm or negative consequences of the breach, the
representatives of the personal information controller, including their contact details, from whom the data subject
can obtain additional information about the breach, and any assistance to be provided to the affected data subjects
 Delay of Notification
to determine the scope of the breach
only to the extent necessary to prevent further disclosures
to restore reasonable integrity to the information and communications system
a. In evaluating if notification is unwarranted, the Commission may take into account compliance by the PIC and
existence of good faith in the acquisition of personal data.
b. The Commission may exempt a PIC from notification where, in its reasonable judgment, such notification
would not be in the public interest, or in the interest of the affected data subjects.
c. The Commission may authorize postponement of notification where it may hinder the progress of a criminal
investigation related to a serious breach. National Privacy Commission
submitted by PIC to the Commission
Breach Report whether written or electronic
containing the required contentsname of a designated representative of the PIC
PIC’s contact details

All security incidents and personal data breaches shall be documented through written reports, including
those not covered by the notification requirements.
facts surrounding an incident
In the case of personal data breaches the effects of such incident
remedial actions taken by the PIC

In other security incidents not involving personal data, a report containing aggregated data shall constitute
sufficient documentation. These reports shall be made available when requested by the Commission.

A general summary of the reports shall be submitted to the Commission annually

 8.6.8 Outsourcing and subcontracting agreements

A PIC may subcontract or outsource the processing of personal data

use contractual or other reasonable means to ensure that proper safeguards are in place
to ensure the confidentiality, integrity and availability of the personal data processed
prevent its use for unauthorized purposes
comply with the requirements of DPA and other issuances applicable laws for processing of personal data

Agreements for Outsourcing

processing by a PIP shall be governed by a contract or other legal act that binds the PIP to the PIC
the subject-matter
duration of the processing
nature and purpose of the processing
a. The contract or legal act shall set out
type of personal data
categories of data subjects
obligations and rights of the PIC
geographic location of the processing under the subcontracting agreement

b. The contract or other legal act shall stipulate, in particular, that the personal information processor shall:

Process the personal data only upon the documented instructions of the PIC, including transfers of personal data to
another country or an international organization, unless such transfer is authorized by law

Ensure that an obligation of confidentiality is imposed on persons authorized to process the personal data

Implement appropriate security measures and comply DPA, Rules, and other issuances of the Commission

Not engage in another processor without prior instruction from the PIC
 Assist the PIC by appropriate technical and organizational measures
Assist the PIC in ensuring compliance with DPA and other relevant laws, and other issuances of the Commission

At the choice of the PIC, delete or return all personal data to the PIC after the end of the provision of services,
includes deleting existing copies unless storage is authorized
Make available to the PIC all information necessary to demonstrate compliance with the obligations, and allow for and
contribute to audits, including inspections, conducted by the PIC or another auditor mandated by the latter
Immediately inform the PIC if, in its opinion, an instruction infringes the Act, these Rules, or any other issuance of
the Commission

8.6.9 Registration and compliance requirements

Enforcement of the Data Privacy Act

a. Registration of personal data processing systems operating in the country that involves accessing or requiring
sensitive personal information of at least one thousand (1,000) individuals, including the personal data
processing system of contractors, and their personnel, entering into contracts with government agencies
b. Notification of automated processing operations where the processing becomes the sole basis of making
decisions that would significantly affect the data subject
c. Annual report of the summary of documented security incidents and personal data breaches
d. Compliance with other requirements that may be provided in other issuances of the Commission

Registration of Personal Data Processing Systems

The PIC or PIP that employs fewer than 250 persons shall not be required to register
the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects
unless the processing is not occasional
the processing includes sensitive personal information of at least 1,000 individuals.
 Contents of Registration
name and address of the PIC or PIC, and of its representative + contact details
purpose of the processing, and whether processing is being done under an outsourcing or subcontracting agreement
description of the category of data subjects
recipients to whom the data might be disclosed
proposed transfers of personal data outside the Philippines
general description of privacy and security measures for data protection
brief description of the data processing system
copy of all policies relating to data governance, data privacy, and information security
attestation to all certifications attained that are related to information and communications processing; and
name and contact details of the compliance or data protection officer, which shall immediately be updated in case of changes

Notification of Automated Processing Operations

intended to serve a single purpose or several related purposes

when the automated processing becomes the sole basis for
notify the Commission making decisions about a data subject
the decision would significantly affect the data subject
1. Purpose
2. Categories of personal data to undergo processing
3. Category or categories of data subject
4. Consent forms or manner of obtaining consent
5. The recipients or categories of recipients to whom the data are to be disclosed
6. The length of time the data are to be stored
7. Methods and logic utilized for automated processing
8. Decisions relating to the data subject that would be made on the basis of processed data or that
would significantly affect the rights and freedoms of data subject
9. Names and contact details of the compliance or data protection officer
No decision with legal effects concerning a data subject shall be made solely on the basis
of automated processing without the consent of the data subject
Review by the Commission

upon its own initiative or upon the filing of a complaint by a data subject
Data Privacy Act
Rules

I
Compliance by other issuances of the Commission
PIC or PIP with
the requirement of establishing adequate safeguards for data privacy and security

Any data sharing agreement

outsourcing contract and its implementation
similar contracts involving the processing of personal data

Any off-site or online access to sensitive personal data in government allowed by a head of agency
research purposes
Processing of personal data for public functions or
commercial activities whether domestically or
internationally, subject to
Any reported violation of the rights and freedoms of data subjects
cross-border arrangement
and cooperation
Other matters necessary to ensure the effective implementation and administration

Rules on Accountability A PIC shall be responsible for any personal data under its control or custody, including
information that have been outsourced or transferred to a PIP or a third party for processing
a. A PIC shall be accountable for complying with the requirements of the Data Privacy Act and shall use contractual or
other reasonable means to provide a comparable level of protection to the personal data while it is being processed by a
personal information processor or third party.
b. A PIC shall designate an individual or individuals who are accountable for its compliance. The identity of the individual
or individuals so designated shall be made known to a data subject upon request.
 Penalties

Unauthorized Processing of Personal Information and Sensitive Personal Information

without the consent of the data subject
process information
without being authorized under the Data Privacy Act or any existing law.

Imprisonment Fine
Personal Information 1 to 3 years P500,000 to P2,000,000
Sensitive Personal Information 3 to 6 years P500,000 to P4,000,000

Accessing Personal Information and Sensitive Personal Information Due to Negligence

due to negligence, provided access to information without being authorized under DPA or any existing law

Imprisonment Fine
Personal Information 1 to 3 years P500,000 to P2,000,000
Sensitive Personal Information 3 to 6 years P500,000 to P4,000,000

Improper Disposal of Personal Information and Sensitive Personal Information

knowingly or negligently dispose, discard, or abandon the information of an individual in an area accessible to
the public or has otherwise placed the information of an individual in its container for trash collection

Imprisonment Fine
Personal Information 6 months to 2 years P100,000 to P500,000
Sensitive Personal Information 1 to 3 years P100,000 to P1,000,000
Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes
processing information for purposes not authorized by the data subject, or otherwise authorized under the
DPA or under existing laws.
Imprisonment Fine
Personal Information 1 year & 6 months to 5 years P500,000 to P1,000,000
Sensitive Personal Information 2 to 7 years P500,000 to P2,000,000

Unauthorized Access or Intentional Breach

knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in
any way into any system where personal and sensitive personal information are stored.

Imprisonment Fine
Personal Information and
1 to 3 years P500,000 to P2,000,000
Sensitive Personal Information

Concealment of Security Breaches Involving Sensitive Personal Information

after having knowledge of a security breach and of the obligation to notify the
Commission, intentionally or by omission conceals the fact of such security breach.

Imprisonment Fine
Sensitive Personal Information 1 year & 6 months to 5 years P500,000 to P1,000,000
Malicious Disclosure
Any PIC or PIP, or any of its officials, employees or agents, who, with malice or in bad faith, discloses
unwarranted or false information relative to any personal information or sensitive personal information

Imprisonment Fine
1 year & 6 months to 5 years P500,000 to P1,000,000

Unauthorized Disclosure
Any PIC or PIP, or any of its officials, employees, or agents, who discloses to a third party personal or
sensitive personal information not covered by malicious disclosure, without the consent of the data subject

Imprisonment Fine
Personal Information 1 year & 6 months to 5 years P500,000 to P1,000,000
Sensitive Personal Information 3 to 5 years P500,000 to P2,000,000

Combination or Series of Acts

Imprisonment Fine
3 to 6 years P500,000 to P1,000,000
 Where applicable, the court may also suspend or
Extent of Liability
revoke any of its rights under Data Privacy Act
corporation, partnership or any juridical person
imposed upon the responsible officers, as the case may be, who participated in, or by their gross
negligence, allowed the commission of the crime

an alien
in addition to the penalties, be deported without further proceedings after serving the penalties

public official or employee

if found guilty of
Improper Disposal of Personal Information and Sensitive Personal Information

Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes

in addition to the penalties, suffer perpetual or temporary absolute disqualification from office, as the case may be

Large-Scale
The maximum penalty shall be imposed when the personal data of at least one hundred (100) persons are
harmed, affected, or involved, as the result of any of the above-mentioned offenses
Offense Committed by Public Officer
in the exercise of his or her duties - suffer an accessory penalty consisting of disqualification to occupy public
office for a term double the term of the criminal penalty imposed
Restitution
Pursuant to the exercise of its quasi-judicial functions, the Commission shall award indemnity to an
aggrieved party on the basis of the provisions of the New Civil Code. Any complaint filed by a data
subject shall be subject to the payment of filing fees, unless the data subject is an indigent.
 Information Classification

-X
Gender SPI
School graduated from and date graduated SPI
E-mail address PI
Laptop’s IP address PI
Bank account number SPI
Home address PI
Income tax return SPI
Location tracked using and app (e.g., Grab) PI
Court cases filed against the individual SPI
Disclosures made to an auditor Privileged

all types of information but NOT

Geographical area of DPA PH
1. public concern (government information)
but may instances na it also applies to:
2. journalistic, artistic, literary, research
“extra territorial” 3. research for public benefit
even outside PH 4. law enforcement & regulatory functions
5. compliance with BSP
established a ‘contract’ or ‘link in the PH 6. residents of foreign jurisdiction with applicable DPA
Privileged Information Can I process? YES

with
Sensitive Personal Information
• consent
• contract
• vital interest/life & health
• legal obligation
NO Can I process? • national emergency
-public order & safety
-safety functions as required by law
• legitimate interest of PIC or third party
Except
• consent
• existing law or regulation
• life and health
• processing bu NPO
• medical treatment
• legal rights and interest in court procedures or legal claims