 What is the Data Privacy Act?

Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to
protect all forms of information, be it private, personal, or sensitive. It is meant to cover both
natural and juridical persons involved in the processing of personal information.
 What is the scope of the Data Privacy Act?

As mentioned earlier, the Data Privacy Act applies to any natural or juridical persons
involved in the processing of personal information. It also covers those who, although not
found or established in the Philippines, use equipment located in the Philippines, or those
who maintain an office, branch, or agency in the Philippines.
 What is processing of personal information?
Under Sec. 3(j) of the Data Privacy Act, “[p]rocessing refers to any operation or any set of
operations performed upon personal information including, but not limited to, the collection,
recording, organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.”

In other words, processing of personal information is any operation where personal

information is involved. Whenever your information is, among other things, collected,
modified, or used for some purpose, processing already takes place.

 What is personal information?

Under Sec. 3(g) of the Data Privacy Act, “[p]ersonal information refers to any information
whether recorded in a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly identify
an individual.”

In other words, personal information is any information which can be linked to your identity,
thus making you readily identifiable.

 What is privileged information?

Under Sec. 3(k) of the Data Privacy Act, “[p]rivileged information refers to any and all forms
of data which under the Rules of Court and other pertinent laws constitute privileged
communication.” One such example would be any information given by a client to his
lawyer. Such information would fall under attorney-client privilege and would, therefore, be
considered privileged information.

 Does the difference between personal information and sensitive personal information matter?
 Yes. The law treats both kinds of personal information differently. Personal information may
be processed, provided that the requirements of the Data Privacy Act are complied with. On
the other hand, the processing of sensitive personal information is, in general, prohibited.
The Data Privacy Act provides the specific cases where processing of sensitive personal
information is allowed.

 Is there a difference between personal information and sensitive personal information?

 Yes. While personal information refers to information that makes you readily
identifiable, sensitive personal information, as defined in Sec. 3(l) of the Data Privacy
Act, refers to personal information:
 (1) About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
 (2) About an individual’s health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in such
proceedings;
 (3) Issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or cm-rent health records, licenses or its
denials, suspension or revocation, and tax returns; and
 (4) Specifically established by an executive order or an act of Congress to be kept
classified.
 Therefore, any information that can be categorized under any of the enumerated
items are considered sensitive personal information.

 Are there any exceptions to the application of the Data Privacy Act?

 The Data Privacy Act explicitly states that its provisions are not applicable in the
following cases:
 (a) Information about any individual who is or was an officer or employee of a
government institution that relates to the position or functions of the individual,
including:
 (1) The fact that the individual is or was an officer or employee of the government
institution;
 (2) The title, business address and office telephone number of the individual;
 (3) The classification, salary range and responsibilities of the position held by the
individual; and
 (4) The name of the individual on a document prepared by the individual in the
course of employment with the government;
 (b) Information about an individual who is or was performing service under contract
for a government institution that relates to the services performed, including the
terms of the contract, and the name of the individual given in the course of the
performance of those services;
  (c) Information relating to any discretionary benefit of a financial nature such as the
granting of a license or permit given by the government to an individual, including the
name of the individual and the exact nature of the benefit;
 (d) Personal information processed for journalistic, artistic, literary or research
purposes;
 (e) Information necessary in order to carry out the functions of public authority which
includes the processing of personal data for the performance by the independent,
central monetary authority and law enforcement and regulatory agencies of their
constitutionally and statutorily mandated functions. Nothing in this Act shall be
construed as to have amended or repealed Republic Act No. 1405, otherwise known
as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as
the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as
the Credit Information System Act (CISA);
 (f) Information necessary for banks and other financial institutions under the
jurisdiction of the independent, central monetary authority or Bangko Sentral ng
Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money Laundering Act and other applicable
laws; and
 (g) Personal information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any applicable data
privacy laws, which is being processed in the Philippines.

 Are companies required to appoint someone who should be responsible for ensuring
compliance with the Data Privacy Act?

Yes. Under the Implementing Rules and Regulations of the Data Privacy Act, all
organizations are required to appoint a Data Protection Officer (“DPO”). The Data
Protection Officer shall be accountable for ensuring compliance with the appropriate data
protection laws and regulations.

 Can there be more than one person who shall perform the functions of a Data Protection
Officer in a organization?

Yes. The Implementing Rules and Regulations of the Data Privacy Act speaks of an
individual or individuals who shall perform the functions of a Data Protection Officer or a
Compliance Officer.

 How is privileged information treated by the Data Privacy Act?

Much like sensitive personal information, the processing of privileged information is

prohibited by the law.

 What are the cases where the processing of sensitive personal information and privileged
information is allowed?
Section 13 of the Data Privacy Act enumerates the cases where sensitive personal
information and privileged information may be processed. These are the following:
(a) The data subject has given his or her consent, specific to the purpose prior to the
processing, or in the case of privileged information, all parties to the exchange have given
their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided,
That such regulatory enactments guarantee the protection of the sensitive personal
information and the privileged information: Provided, further, That the consent of the data
subjects are not required by law or regulation permitting the processing of the sensitive
personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another
person, and the data subject is not legally or physically able to express his or her consent
prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of
public organizations and their associations: Provided, That such processing is only confined
and related to the bona fide members of these organizations or their associations: Provided,
further, That the sensitive personal information are not transferred to third parties: Provided,
finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a
medical practitioner or a medical treatment institution, and an adequate level of protection of
personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of
lawful rights and interests of natural or legal persons in court proceedings, or the
establishment, exercise or defense of legal claims, or when provided to government or
public authority.

SUMMARY: PHILIPPINES DATA PRIVACY ACT AND IMPLEMENTING REGULATIONS

The Philippines has a growing and important business process management and health
information technology industry. Total IT spending reached $4.4 billion in 2016, and
the sector is expected to more than double by 2020. Filipinos are heavy social media
users, 42.1 million are on Facebook, 13 million on Twitter, and 3.5 million are LinkedIn
users. The country is also in the process of enabling free public Wi-Fi. In the context of
the rapid growth of the digital economy and increasing international trade of data, the
Philippines has strengthened its privacy and security protections.

In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict
privacy legislation “to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote
innovation and growth.” (Republic Act. No. 10173, Ch. 1, Sec. 2). This
comprehensive privacy law also established a National Privacy Commission that
enforces and oversees it and is endowed with rulemaking power. On September 9,
2016, the final implementing rules and regulations came into force, adding specificity to
the Privacy Act.
Scope and Application

The Data Privacy Act is broadly applicable to individuals and legal entities that process
personal information, with some exceptions. The law has extraterritorial application,
applying not only to businesses with offices in the Philippines, but when equipment
based in the Philippines is used for processing. The act further applies to the processing
of the personal information of Philippines citizens regardless of where they reside.

One exception in the act provides that the law does not apply to the processing of
personal information in the Philippines that was lawfully collected from
residents of foreign jurisdictions — an exception helpful for Philippines companies
that offer cloud services.

Approach

The Philippines law takes the approach that “The processing of personal data shall be
allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.”

Collection, processing, and consent

The act states that the collection of personal data “must be a declared, specified, and
legitimate purpose” and further provides that consent is required prior to the
collection of all personal data. It requires that when obtaining consent, the data
subject be informed about the extent and purpose of processing, and it specifically
mentions the “automated processing of his or her personal data for profiling,
or processing for direct marketing, and data sharing.” Consent is further
required for sharing information with affiliates or even mother companies.

Consent must be “freely given, specific, informed,” and the definition further
requires that consent to collection and processing be evidenced by recorded means.
However, processing does not always require consent.

Consent is not required for processing where the data subject is party to a
contractual agreement, for purposes of fulfilling that contract. The exceptions
of compliance with a legal obligation upon the data controller, protection of the vital
interests of the data subject, and response to a national emergency are also available.

An exception to consent is allowed where processing is necessary to pursue the

legitimate interests of the data controller, except where overridden by the
fundamental rights and freedoms of the data subject.
Required agreements

The law requires that when sharing data, the sharing be covered by an agreement that
provides adequate safeguards for the rights of data subjects, and that these agreements
are subject to review by the National Privacy Commission.

Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:

 About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;

 About an individual’s health, education, genetic or sexual life of a person, or to any

proceeding or any offense committed or alleged to have committed;

 Issued by government agencies “peculiar” (unique) to an individual, such as social

security number;

 Marked as classified by executive order or act of Congress.

All processing of sensitive and personal information is prohibited except in certain

circumstances. The exceptions are:

 Consent of the data subject;

 Pursuant to law that does not require consent;

 Necessity to protect life and health of a person;

 Necessity for medical treatment;

 Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.

Surveillance

Interestingly, the Philippines law states that the country’s Human Security Act of 2007
(a major anti-terrorism law that enables surveillance) must comply with the Privacy Act.

Privacy program required

The law requires that any entity involved in data processing and subject to the act must
develop, implement and review procedures for the collection of personal data, obtaining
consent, limiting processing to defined purposes, access management, providing
recourse to data subjects, and appropriate data retention policies. These requirements
necessitate the creation of a privacy program. Requirements for technical security
safeguards in the act also mandate that an entity have a security program.

Data subjects' rights

The law enumerates rights that are familiar to privacy professionals as related to the
principles of notice, choice, access, accuracy and integrity of data.

The Philippines law appears to contain a “right to be forgotten” in the form of a right to
erasure or blocking, where the data subject may order the removal of his or her
personal data from the filing system of the data controller. Exercising this right requires
“substantial proof,” the burden of producing which is placed on the data subject.
This right is expressly limited by the fact that continued publication may be justified by
constitutional rights to freedom of speech, expression and other rights.

Notably, the law provides a private right of action for damages for inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data.

A right to data portability is also provided.

Mandatory personal information breach notification

The law defines “security incident” and “personal data breach” ensuring that the
two are not confused. A “security incident” is an event or occurrence that affects or
tends to affect data protection, or may compromise availability, integrity or
confidentiality. This definition includes incidents that would result in a personal breach,
if not for safeguards that have been put in place.

A “personal data breach,” on the other hand, is a subset of a security breach that
actually leads to “accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data transmitted,
stored, or otherwise processed.

Requirement to notify

The law further provides that not all “personal data breaches” require notification.,
which provides several bases for not notifying data subjects or the data protection
authority. Section 38 of the IRRs provides the requirements of breach notification:

 The breached information must be sensitive personal information, or information that

could be used for identity fraud, and
  There is a reasonable belief that unauthorized acquisition has occurred, and

 The risk to the data subject is real, and

 The potential harm is serious.

The law provides that the Commission may determine that notification to data subjects
is unwarranted after taking into account the entity’s compliance with the Privacy Act,
and whether the acquisition was in good faith.

Notification timeline and recipients

The law places a concurrent obligation to notify the National Privacy Commission as
well as affected data subjects within 72 hours of knowledge of, or reasonable belief by
the data controller of, a personal data breach that requires notification.

It is unclear at present whether the commission would allow a delay in notification of

data subjects to allow the commission to determine whether a notification is
unwarranted. By the law, this would appear to be a gamble.

Notification contents

The contents of the notification must at least:

 Describe the nature of the breach;

 The personal data possibly involved;

 The measures taken by the entity to address the breach;

 The measures take to reduce the harm or negative consequence of the breach;

 The representatives of the personal information controller, including their contact

details;

 Any assistance to be provided to the affected data subjects.

Penalties

The law provides separate penalties for various violations, most of which also include
imprisonment. Separate counts exist for unauthorized processing, processing for
unauthorized purposes, negligent access, improper disposal, unauthorized access or
intentional breach, concealment of breach involving sensitive personal information,
unauthorized disclosure, and malicious disclosure.
Any combination or series of acts may cause the entity to be subject to imprisonment
ranging from three to six years as well as a fine of approximately $20,000 to $100,000.

Notably, there is also the previously mentioned private right of action for damages,
which would apply.

Penalties for failure to notify

Persons having knowledge of a security breach involving sensitive personal information

and of the obligation to notify the commission of same, and who fail to do so, may be
subject to penalty for concealment, including imprisonment for 1 1/2 to five years of
imprisonment, and a fine of approximately $10,000 - $20,000.

Depending upon the circumstances additional violations might apply.

The Beginner’s Guide to RA 10173 (Data Privacy Act of 2012)

In 2012, the Congress of the Philippines passed Republic Act No. 10173, also known as the Data Privacy
Act (DPA) of 2012. Five years later, the DPA’s Implementing Rules and Regulations was put in effect on
September 9, 2016, thus mandating all companies to comply.

The act is a necessary and important precaution in a world economy that’s swiftly going digital. In 2014,
it was estimated that 2.5 quintillion — or 2.5 billion billion — bytes of data were created everyday. This
includes unprecedented knowledge about what real individuals are doing, watching, thinking, and
feeling.

Companies must be held accountable not only for what they do with customer data — but how they
protect that data from third parties. The past few years of security breaches, system errors, and ethical
scandals within some of the country’s major banks have reminded us that there is much work to be
done.

So, where to begin for institutions who want to comply with RA 10173 and be proactive about their
consumers’ digital privacy?

What is RA 10173?

RA 10173, or the Data Privacy Act, protects individuals from unauthorized processing of personal
information that is (1) private, not publicly available; and (2) identifiable, where the identity of the
individual is apparent either through direct attribution or when put together with other available
information.

What does this entail?

First, all personal information must be collected for reasons that are specified, legitimate, and
reasonable. In other words, customers must opt in for their data to be used for specific reasons that are
transparent and legal.

Second, personal information must be handled properly. Information must be kept accurate and
relevant, used only for the stated purposes, and retained only for as long as reasonably needed.
Customers must be active in ensuring that other, unauthorized parties do not have access to their
customers’ information.

Third, personal information must be discarded in a way that does not make it visible and accessible to
unauthorized third parties.

Unauthorized processing, negligent handling, or improper disposal of personal information is punishable

with up to six (6) years in prison or up to five million pesos (PHP 5,000,000) depending on the nature and
degree of the violation.

Who needs to register?

Companies with at least 250 employees or access to the personal and identifiable information of at least
1,000 people are required to register with the National Privacy Commission and comply with the Data
Privacy Act of 2012. Some of these companies are already on their way to compliance — but many more
are unaware that they are even affected by the law.

How do I remain in compliance of the Data Privacy Act?

The National Privacy Commission, which was created to enforce RA 10173, will check whether
companies are compliant based on a company having 5 elements:

1. Appointing a Data Protection Officer

2. Conducting a privacy impact assessment
3. Creating a privacy knowledge management program
4. Implementing a privacy and data protection policy
5. Exercising a breach reporting procedure

Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012

Information and communications technology plays a vital role in nation-building and development of the
country. In the information age, he who holds information holds power. From macro-economic
perspective, the free flow of information is concededly vital to the growth of any nation, and key to the
success of any business. With the power that follows information, it is in the interest of the State to
govern the parameters by which such power will be held, while at the same time ensuring the free flow
of information to promote innovation and growth.
From the perspective of citizens and individuals, the State also protects their fundamental human rights
to privacy of communication. And with the exponentially increasing availability of ways and means to
access personal data and information, it becomes the duty of the State to guard against transgressions
of the individual’s rights.

Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, is one formidable piece of
legislation. Its application encompasses all walks of business, from the banking and finance sector, to
labor and human resources, schools, and even non-profit organizations. This is of course not to say that
the Data Privacy Act of 2012 finds no application to individuals and citizens. On the contrary, the units of
information supplied by individuals and citizens in the Philippines comprise the whole, which the Data
Privacy Act of 2012 protects. Thus, access to private and personal information belonging to individuals is
covered by its mantle of protection in the same and unyielding manner as trade secrets held by global
conglomerates and multinationals.

Data Privacy Act of 2012 protects all forms of information that are personal, private or privileged. It
covers all persons, whether natural or juridical, with particular emphasis to companies or juridical
entities involved in the processing of protected information.

It is important to note however, that by its very title, the law only protects information that is
considered private. Information that has been publicly available or accessible before its enactment
continues to the public. The value that the Data Privacy Act of 2012 adds to the present state of
Philippine law is the manner by which private or confidential information is protected. To be more
specific, the passage of this law has, to a great extent, upgraded the value of data and its protection in
the Philippines. To this end, the law specifies and provides stringent parameters for their access, and
imposes grave sanctions, both penal and pecuniary, for unlawful use or disclosure of information.

As a matter of fact, the Data Privacy Act of 2012 upgraded the pecuniary liability for a violation of its
provisions. Never before has there been pecuniary liability expressly specified in a law, as high as up to
Five Million Pesos (P5,000,000.00). Moreover, unlike in the past where negligence in handling
confidential information is not met with penal sanction, the Data Privacy Act punishes negligence in
handling information with great severity. Finally, it is only until its enactment that a large-scale violation
of data privacy was defined. It may be important to state that law imposes the maximum penal sanction
where the personal information of at least one hundred (100) persons is harmed, affected or involved.
To give an idea of how stringent the current state of data privacy laws in the Philippines are, the
pertinent penal provisions of R.A. No. 10173 are reproduced below:

SEC. 25. Unauthorized Processing of Personal Information and Sensitive Personal Information. – (a) The
unauthorized processing of personal information shall be penalized by imprisonment ranging from one
(1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who process personal
information without the consent of the data subject, or without being authorized under this Act or any
existing law.

(b) The unauthorized processing of personal sensitive information shall be penalized by imprisonment
ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons
who process personal information without the consent of the data subject, or without being authorized
under this Act or any existing law.

SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence. – (a)
Accessing personal information due to negligence shall be penalized by imprisonment ranging from one
(1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to
negligence, provided access to personal information without being authorized under this Act or any
existing law.

(b) Accessing sensitive personal information due to negligence shall be penalized by imprisonment
ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons
who, due to negligence, provided access to personal information without being authorized under this
Act or any existing law.

SEC. 27. Improper Disposal of Personal Information and Sensitive Personal Information. – (a) The
improper disposal of personal information shall be penalized by imprisonment ranging from six (6)
months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but
not more than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons who
knowingly or negligently dispose, discard or abandon the personal information of an individual in an
area accessible to the public or has otherwise placed the personal information of an individual in its
container for trash collection.

b) The improper disposal of sensitive personal information shall be penalized by imprisonment ranging
from one (1) year to three (3) years and a fine of not less than One hundred thousand pesos
(Php100,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons
who knowingly or negligently dispose, discard or abandon the personal information of an individual in
an area accessible to the public or has otherwise placed the personal information of an individual in its
container for trash collection.

SEC. 28. Processing of Personal Information and Sensitive Personal Information for Unauthorized
Purposes. – The processing of personal information for unauthorized purposes shall be penalized by
imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than
Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00)
shall be imposed on persons processing personal information for purposes not authorized by the data
subject, or otherwise authorized under this Act or under existing laws.

The processing of sensitive personal information for unauthorized purposes shall be penalized by
imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be
imposed on persons processing sensitive personal information for purposes not authorized by the data
subject, or otherwise authorized under this Act or under existing laws.

SEC. 29. Unauthorized Access or Intentional Breach. – The penalty of imprisonment ranging from one (1)
year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not
more than Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and
unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system
where personal and sensitive personal information is stored.

SEC. 30. Concealment of Security Breaches Involving Sensitive Personal Information. – The penalty of
imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be
imposed on persons who, after having knowledge of a security breach and of the obligation to notify the
Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security
breach.

SEC. 31. Malicious Disclosure. – Any personal information controller or personal information processor
or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or
false information relative to any personal information or personal sensitive information obtained by him
or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million
pesos (Php1,000,000.00).

SEC. 32. Unauthorized Disclosure. – (a) Any personal information controller or personal information
processor or any of its officials, employees or agents, who discloses to a third party personal information
not covered by the immediately preceding section without the consent of the data subject, shall he
subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).

(b) Any personal information controller or personal information processor or any of its officials,
employees or agents, who discloses to a third party sensitive personal information not covered by the
immediately preceding section without the consent of the data subject, shall be subject to
imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00).

SEC. 33. Combination or Series of Acts. – Any combination or series of acts as defined in Sections 25 to
32 shall make the person subject to imprisonment ranging from three (3) years to six (6) years and a fine
of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos
(Php5,000,000.00).

SEC. 34. Extent of Liability. – If the offender is a corporation, partnership or any juridical person, the
penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by
their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the
court may suspend or revoke any of its rights under this Act. If the offender is an alien, he or she shall, in
addition to the penalties herein prescribed, be deported without further proceedings after serving the
penalties prescribed. If the offender is a public official or employee and lie or she is found guilty of acts
penalized under Sections 27 and 28 of this Act, he or she shall, in addition to the penalties prescribed
herein, suffer perpetual or temporary absolute disqualification from office, as the case may be.

SEC. 35. Large-Scale. – The maximum penalty in the scale of penalties respectively provided for the
preceding offenses shall be imposed when the personal information of at least one hundred (100)
persons is harmed, affected or involved as the result of the above mentioned actions.

SEC. 36. Offense Committed by Public Officer. – When the offender or the person responsible for the
offense is a public officer as defined in the Administrative Code of the Philippines in the exercise of his
or her duties, an accessory penalty consisting in the disqualification to occupy public office for a term
double the term of criminal penalty imposed shall he applied