NPC ADVISORY NO.

2017-005

A personal information controller (PIC) subject to the provisions of Republic Act No. 10173, also
known as the Data Privacy Act of 2012 (DPA), may be located outside of the Philippines.
SEC 4 - “Scope. – This Act applies to the processing of all types of personal information
and to any natural and juridical person involved in personal information processing
including those personal information controllers and processors who, although not found
or established in the Philippines, use equipment that are located in the Philippines, or
those who maintain an office, branch or agency in the Philippines subject to the
immediately succeeding paragraph: Provided, That the requirements of Section 5 (sic) are
complied with.”

For the extra-territorial application of the law to operate, the PIC must be engaged in the
processing of the personal data of a Filipino citizen, or at least a resident of the Philippines, and
it should have an established link to the country.

Please note that the DPA defines a PIC as a “person or organization who controls the collection,
holding, processing or use of personal information, including a person or organization who
instructs another person or organization to collect, hold, process, use, transfer or disclose
personal information on his or her behalf.”

Your query seems to indicate that whoever is managing or running the internal branding
campaign that requires the processing of personal data should be considered as the PIC.
Unfortunately, we are unable to establish with certainty as to who must be considered as the PIC
given the facts you have provided. Accordingly, there is a need for you to evaluate the
relationship between the companies mentioned and the extent of their involvement in the
aforesaid campaign. Since the law imposes a number of obligations upon the PIC, one should
identify this person or organization as soon as possible in order for it to note its obligations
under the law.

Cross-border Transfer of Personal Data and the DPA

In situations wherein the cross-border transfer of personal data is necessary for processing
purposes, keep in mind Section 21 of the DPA, to wit:

“Principle of Accountability. – Each personal information controller is responsible for

personal information under its control or custody, including information that have been
transferred to a third party for processing, whether domestically or internationally,
subject to cross-border arrangement and cooperation.”

As can be gleaned from the foregoing provision, the PIC has the primary responsibility of
securing the personal data under its control or custody, even when these are transferred across
borders or jurisdictions. It shall ensure that said data are processed in accordance with the
provisions of the DPA, its IRR, and other applicable issuances of the NPC. Any outsourcing,
subcontracting, or data sharing agreement that facilitates such cross-border transfer shall also
be subject to the requirements of the law.
In your particular case, whoever is determined to be the PIC shall shoulder these responsibilities.
In the event, for instance, that the Singapore entity is identified as the PIC, it shall utilize all
available and appropriate means to ensure that your company here in the Philippines
(presumably acting as a mere personal information processor) abides by the DPA and other
applicable policies.

NPC ADVISORY NO. 2017-009

Data Sharing Agreements vis-à-vis EU Regulations

The requirement pertaining to data sharing agreements, as provided in the IRR, emphasizes the
second of the twin state policies that constitute the NPC’s mandate, which are to: (1) protect the
fundamental human right of privacy; and (2) ensure free flow of information to promote
innovation and growth.

How such requirement measures up against the provisions of the Directive 95/46/EC (EU
Directive), or its successor, EU 2016/679 (General Data Protection Regulation or GDPR), is
immaterial, since the Philippines is not a member of the Union and therefore not bound by its
policies. Neither is the DPA nor its IRR meant to directly enforce the said EU regulations.

Compliance Period for Data Sharing Agreements

The provisions of the IRR became effective on 9 September 2016, fifteen (15) days after the
latter was published in the Official Gazette. Thus, the need to comply therewith, including those
governing data sharing arrangements, also became mandatory on that date.
The one (1)-year period for compliance provided in the IRR relates only to the registration of
data processing systems or automated processing operations by personal information
controllers (PIC) and personal information processors (PIP).

NPC Circular No. 16-02, while specifically directed at data sharing agreements involving
government agencies, may also be used by the private sector for additional guidance on this
matter.
NPC ADVISORY NO. 2017-012

This is with regard to your query received by the National Privacy Commission (NPC) on 26
October 2016 regarding the Implementing Rules and Regulations (IRR) of Republic Act No.
10173, also known as the Data Privacy Act (DPA) of 2012. You inquired whether the IRR prohibits
the transmission and processing of personal data outside the country, specifically in contexts
involving cloud infrastructures or M2M applications.

The DPA and its IRR do not prohibit the transmission and processing of personal data outside the
country. Both sets of regulations explicitly recognize those instances wherein the processing of
personal data is conducted outside of the Philippines, but still fall within the scope of the DPA. In
such cases, the personal information controller (PIC) and/or personal information processor
concerned must still comply with the provisions of the DPA, its IRR, and issuances by the NPC.

It is also worth noting that Section 50 of the IRR highlights the responsibility of PICs over
personal data which processing it decides to outsource or transfer to parties not located within
the country, subject to the appropriate cross-border enforcement procedures.

NPC ADVISORY NO. 2017-024

Specifically, you seek to inquire on the duration for which your company can keep the following
files/information:

a. Job applicant’s personal data after unsuccessful application;

b. Employee’s personal data after employee ceased employment; and
c. Benefits enrollment information after employee ceased employment.
The DPA provides that personal data shall only be retained for as long as necessary for the
fulfillment of the purposes for which the data was obtained or for the establishment, exercise or
defense of legal claims, or for legitimate business purposes, or as provided by law.

Further, the IRR expounds on such requirement under Section 19(d), to wit:
“Section 19. General principles in collection, processing and retention. The processing of
personal data shall adhere to the following general principles in the collection,
processing, and retention of personal data: xxx xxx xxx
d. Personal Data shall not be retained longer than necessary.
1. Retention of personal data shall only for as long as necessary:
(a) for the fulfillment of the declared, specified, and legitimate purpose, or when
the processing relevant to the purpose has been terminated;
 (b) for the establishment, exercise or defense of legal claims; or
(c) for legitimate business purposes, which must be consistent with standards
followed by the applicable industry or approved by appropriate government
agency
2. Retention of personal data shall be allowed in cases provided by law.”
The IRR further provides that personal data shall not be retained in perpetuity in contemplation
of a possible future use yet to be determined.

From the foregoing, it is clear that the DPA and its IRR does not provide for a specific retention
period. Instead, the law sets out the general principles and guidelines for the retention of
personal data. As a general rule, records containing personal data should be retained only for as
long as may be necessary for the purpose or purposes for which the personal data were
collected.

The company should be mindful of the data privacy principles of transparency, legitimate
purpose and proportionality. This means that data subjects must be informed of the retention
periods of the company, and the purpose for retaining the records. The company must ensure
that only that personal data which is adequate, relevant, suitable and necessary for the purpose
will be retained.

Likewise, when retaining personal data, the company must implement security measures to
ensure that the personal data being stored or retained are protected. These guidelines will not
apply where the personal data is aggregated or kept in a form which does not permit
identification of data subjects, in which case, the data may be kept longer.

It is recommended that the company develop and maintain its own record management policy
which provide for retention periods and procedures for disposal of records containing personal
data. Factors that may be considered by a company in determining retention periods of
employment records would include:

1. Legal requirements to which the company may be subject to;

2. Applicable prescription periods in existing law (i.e. money claims);
3. Department of Labor and Employment Rules;
4. Bureau of internal revenue regulations for bookkeeping requirements; and
5. Industry standards, and other laws and regulations that apply to the sector.
Thus, for as long as your company can determine a legitimate business purpose for the retention
of the abovementioned personal data, which is consistent with standards followed in the
industry you are in, or if there exists any legal claims being pursued by the company, or when
retention is allowed as provided for by law, then retention of personal data is permitted.
However, such retention must not be in perpetuity in consideration of some future use which
has not yet been determined.

NPC ADVISORY NO. 2018-003

INQUIRY:

1. Appropriate means to regulate the visitor logbooks for security purposes;

2. Whether consent is needed in collecting personal information; and
3. Registration of the logbook with the NPC.

In your inquiry, you have mentioned that for every visitor entering the building or office, you
require them to provide certain information in the logbook, such as: (1) name; (2) time of arrival;
(3) time of departure; and (4) signature, and visitors are likewise required to surrender one (1)
government-issued identification card, in exchange for the visitor’s pass.
These information are considered as personal and sensitive personal information under the Data
Privacy Act of 2012 (DPA). Specifically, the name and signature of the individual or visitor are
considered as personal information. On the other hand, the government-issued identification
card containing the number specifically assigned to the individual by the issuing government
agency is considered as sensitive personal information.
Given that you are processing personal and sensitive personal information as mentioned above,
the DPA then directs you, as the personal information controller, to comply with duties and
responsibilities under the law and implement appropriate security measures to ensure the
protection and security of such personal data.

It is imperative to determine whether the information being collected in the logbooks are
necessary and proportionate to the purpose of collection. Following such determination, the
risks and vulnerabilities in the processing should likewise be identified and addressed, and an
evaluation of the current security measures being implemented should be made to see if these
are reasonable and appropriate to ensure the security and protection of personal information or
whether there is a need to improve current practices. These may be accomplished through the
conduct of privacy impact assessment.
To observe the principle of transparency to the data subjects, a privacy notice or privacy
statement may be displayed alongside the logbook to apprise the visitors of the purpose of
collection, recipients of collected information and retention period of stored information, among
others.
Kindly note that Singapore’s data protection authority, the Personal Data Protection Commission
(PDPC), has decided a complaint in relation to the failure by a security company to safeguard
their visitor logbook which resulted to a data breach incident. The PDPC ruled that the recording
and safekeeping of logbooks were considered as activities involving processing of personal data,
hence, actual processes, practices and policies must be put in place in order to protect personal
data and ensure the safety of the logbook at all times.

With regards to consent of data subjects, a personal information controller may lawfully process
personal information if the circumstance falls under any of the criteria for lawful processing of
personal information, consent being one of them. Legitimate interest is also a criterion for
processing personal information. Please refer to Section 13 of the DPA for the criteria for lawful
processing of sensitive personal information.

On the registration requirement, NPC issued a circular – Registration of Data Processing Systems
and Notifications Regarding Automated Decision-Making, Section 5 of which provides:

“SECTION 5: Mandatory Registration. A PIC or PIP shall register its data processing system
if it is processing personal data and operating in the country under any of the following
conditions:
A. The PIC or PIP employs at least two hundred fifty (250) employees;
B. The processing includes sensitive personal information of at least one thousand
(1,000) individuals;
C. The processing is likely to pose a risk to the rights and freedoms of data subjects.
Processing operations that pose a risk to data subjects include those that involve:
1. Information that would likely affect national security, public safety, public
order, or public health;
2. Information required by applicable laws or rules to be confidential;
3. Vulnerable data subjects like minors, the mentally ill, asylum seekers, the
elderly, patients, those involving criminal offenses, or in any other case where an
imbalance exits in the relationship between a data subject and PIC or PIP;
4. Automated decision-making; or
5. Profiling
D. The processing is not occasional: Provided, that processing shall be considered
occasional it is only incidental to the mandate or function of the PIC or PIP, or, it only
occurs under specific circumstances and is not regularly performed. Processing that
constitutes a core activity of a PIC or PIP, or is integral thereto, will not be considered
occasional.”
Thus, if you satisfy any of the above-mentioned conditions, you are required to register with the
NPC. For Sections 5(C) and (D) above, please note also the Appendix to the circular providing for
the initial list of specific sectors, industries, or entities that shall be covered by mandatory
registration.
It is important to note that the definition of a data processing system includes manual or paper-
based systems, i.e. logbooks, as well as electronic systems.

Finally, we wish to emphasize that data collection through visitor logbooks may often be
overlooked. But as this a paper-based processing system, security measures to protect the data
need not be a complicated matter as this will entail reasonable and appropriate organizational
and physical security measures only.