DATA PRIVACY ACT OF 2012

RA 10173, otherwise known as the Data Privacy Act, is a law that seeks to protect
all forms of information, be it private, personal, or sensitive.

PURPOSE OF THE LAW:

1) Protect the privacy of individuals while ensuring free flow of information to

innovation and growth;
2) Regulates the collection, recording, organization, storage, updating, or
modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of personal data; and
3) Ensures that the Philippines is compliant with international standards set for
data protection

Structure of the DPA:

Sections 1-6: Definitions and General Principles

Sections 7-10: The National Privacy Commission
Sections 11-21: Rights of Data Subjects and Obligations of Personal Information
Controllers and Processors
Sections 22-24: Provisions Specific to Government
Sections 25-37: Penalties

KEY DPA ACTORS:

 Data Subject – individual whose personal data is processed

 Personal Information Controller (PIC) – natural or juridical person, or any

other body that controls the processing of personal data

 Personal Information Processor (PIP) – natural or juridical person, or any

other body to whom a PIC may outsource or instruct the processing of
personal data

 National Privacy Commission (NPC) – independent government body

mandated to implement the DPA

INFORMATIONS COVERED BY THE ACT:

Under the DPA, personal data is considered and treated as a person’s own
personal property.
Classification of Personal Data:

1) Personal Information
2) Sensitive Personal Information
3) Privileged Information

Personal Information (PI) – any information from which the identity of a

individiual is apparent or can reasonably and
directly ascertained, or when put together with
other information would directly and certainly
identify an individual.

Sensitive Personal Information (SPI) – any information about an individual’s

 Race,
 Ethnic origin,
 Marital status,
 Age,
 Color,
 Religious, philosophical, or political affiliations,
 Health, education, genetic, or sexual life,
 Proceeding for any offense committed or alleged
to have been committed by an individual
including the disposal of such proceeding and
the sentence imposed in such proceeding
 Details issued by government peculiar to
individual like social security number, TIN, etc.
 Established by an EO or act of Congress to be
kept classified

Privileged Information – any and all forms of data which under the Rules of
Court and other pertinent laws constitute privileged
communication
SCOPE OF THE DPA:

DPA applies to:

 Any natural or juridical persons involved in the processing of personal
information;
 Those who, although not found or established in the Philippines, use equipment
located in the Philippines, or those who maintain an office, branch, or agency in
the Philippines

DPA not applicable to personal data relating to:

o Matters of public concern (Sec. 4a-c)
o Journalistic, artistic, or literary or research purposes (4d)
o Performance of law enforcement or regulatory functions of public authority (4e)
o Compliance of BSP-regulated banks & FI’s with CISA, AMLA and other laws (4f)
o Residents of foreign jurisdictions with applicable data privacy laws
EXTRATERRITORIAL APPLICATION:

DPA applies to an act done or practice engaged in and outside of the Philippines by
an entity if:

a) The act, practice or processing relates to personal information about a

Philippine citizen or a resident;
b) The entity has a link with the Philippines, and the entity is processing
personal information in the Philippines or even if the processing is outside the
Philippines as long as it is about Philippine citizens or residents; and
c) The entity has other links in the Philippines

PROCESSING OF PERSONAL INFORMATION

 Refers to any operation or set of operations performed upon personal

information like collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking, erasure, or
destruction of data.

 In other words, any operation where personal information is involved.

Whenever an information is collected, modified, or used for some purpose,
processing already takes place.

 The KEY is to obtain the data subject’s CONSENT:

o Freely given, specific, informed indication of will, whereby the data

subject agrees to the collection and processing of his or her personal,
sensitive personal, and privileged information;

o Evidenced by written, electronic, or recorded means;

o It can be given by data subject’s lawful representative or agent

specifically authorized by the data subject.

DATA PRIVACY PRINCIPLES

1) Transparency
- The data subject must be aware of the nature, purpose, and extent of the
processing of his or her personal data

2) Legitimate Purpose
- The processing of information shall be compatible with a declared and
specified purpose which must not be contrary to law, morals, or public
policy.
 3) Proportionality
- The processing of information shall be adequate, relevant, suitable,
necessary, and not excessive in relation to a declared and specified
purpose.

Q: DOES THE DIFFERENCE BETWEEN PI AND SPI MATTERS?

YES. The law treats both kinds of personal information differently.

Personal information may be processed, provided that the requirements

of the Data Privacy Act are complied with. On the other hand, the
processing of sensitive personal information is, in general, prohibited. The
Data Privacy Act provides the specific cases where processing of sensitive
personal information is allowed.

SUBCONTRACTING

Personal information controller (PIC) may subcontract the processing of

personal information. The PIC must, however, ensure that proper safeguards are in
place to ensure the confidentiality of the personal information processed, to prevent
its unauthorized use, and generally, to comply with the requirements of the Act and
other laws for processing of personal information.

PRIVILEGED COMMUNICATION

Personal information controllers may invoke the principle of privileged

communication over privileged information that they lawfully control or process.

CRITERIA FOR LAWFUL PROCESSING OF PI (Personal Information)

- Consent
- Contract with the individual
- Vital interests/Life and health
- Legal obligation
- National emergency/Public order and safety
- Constitutional or statutory mandate of a public authority
- Legitimate interests of the PIC or third parties

CRITERIA FOR LAWFUL PROCESSING OF SPI (Sensitive Personal Information)

- Consent
- Existing laws and regulations
- Life and health
- Processing by non-stock, non-profit organizations
- Medical treatment
 - Lawful rights and interests in court proceedings/legal claims
RIGHTS OF DATA SUBJECTS:

1. The right to be informed.

2. The right to access.
3. The right to object.
4. The right to erasure or blocking.
5. The right to rectify.
6. The right to data portability.
7. The right to file a complaint.
8. The right to damages.

EXCEPTIONS/NON-APPLICABILITY:

a) If the processed personal information are used only for the needs of
scientific and statistical research and, on the basis of such, no activities
are carried out and no decisions are taken regarding the data subject; and

b) If the processing of personal information gathered is for the purpose of

investigations in relation to any criminal, administrative or tax liabilities of
a data subject.

DUTIES AND RESPONSIBILITIES OF PIC/PIP:

1. Adhere to data privacy principles of Transparency, Legitimate Purpose, and

Proportionality;

2. Uphold data subject’s rights; and

3. Implement security measures.