Professional Documents
Culture Documents
Data Privacy Act of 2012
Data Privacy Act of 2012
(b) Information about an individual who is or ➢ The processing of personal information shall
was performing service under contract for a be allowed, subject to compliance with the
government institution that relates to the requirements of this Act and other laws
services performed, including the terms of the allowing disclosure of information to the public
contract, and the name of the individual given and adherence to the principles of
in the course of the performance of those transparency, legitimate purpose and
services; proportionality
(d) Personal information processed for ➢ Including the risks and safeguards
journalistic, artistic, literary or research involved the identity of personal
purposes; information controller, his or her rights as a
data subject, and how these can be
(e) Information necessary in order to carry out exercised. Any information and
the functions of public authority communication relating to the processing of
personal data should be easy to access and
which includes the processing of personal data understand, using clear and plain language.
for the performance by the independent,
central monetary authority and law ❖ Legitimate Purpose
enforcement and regulatory agencies of their
constitutionally and statutorily mandated ➢ Processing of information shall be
functions. Nothing in this Act shall be compatible with a declared and specified
construed as to have amended or repealed purpose which must not be contrary to law,
Republic Act No. 1405, otherwise known as morals or public policy.
the Secrecy of Bank Deposits Act; Republic
Act No. 6426, otherwise known as the Foreign ❖ Proportionality
Currency Deposit Act; and Republic Act No.
9510, otherwise known as the Credit ➢ The processing of information shall be
Information System Act (CISA); adequate, relevant, suitable, necessary and
not excessive in relation to a declared and
(f) Information necessary for banks and other specified purpose.
financial institutions under the jurisdiction of
the independent, central monetary authority or Personal data shall be processed only if the
Bangko Sentral ng Pilipinas to comply with purpose of the processing could
Republic Act No. 9510, and Republic Act No. not reasonably be fulfilled by other means.
9160, as amended, otherwise known as the
Anti-Money Laundering Act and other Criteria for Lawful Processing of Personal
applicable laws; and Information
The processing of personal information shall
(g) Personal information originally collected be permitted only if not otherwise
from residents of foreign jurisdictions in prohibited by law, and when at least one of the
accordance with the laws of those foreign following conditions exists:
jurisdictions, including any applicable
data privacy laws, which is being processed in (a) The data subject has given his or her
the Philippines. consent;
(b) The processing of personal information is
necessary and is related to the fulfillment of physically able to express his or her consent
a contract with the data subject or in order to prior to the processing;
take steps at the request of the data subject (c) The processing is necessary to achieve the
prior to entering into a contract; lawful and non-commercial objectives of public
(c) The processing is necessary for organizations and their associations: Provided,
compliance with a legal obligation to which That such processing is only confined and
the personal information controller is subject; related to the bona fide members of these
(d) The processing is necessary to protect organizations or their associations: Provided,
vitally important interests of the data subject, further, That the sensitive personal information
including life and health; are not transferred to third parties: Provided,
(e) The processing is necessary in order to finally, That consent of the data subject was
respond to national emergency, to comply obtained prior to processing;
with the requirements of public order and
safety, or to fulfill functions of (e) The processing is necessary for purposes
public authority which necessarily includes of medical treatment, is carried out by a
the processing of personal data for the medical practitioner or a medical treatment
fulfillment of its mandate; or institution, and an adequate level of
protection of personal information is ensured;
(f) The processing is necessary for the or
purposes of the legitimate interests pursued
by the personal information controller or by a (f) The processing concerns such personal
third party or parties to whom the data is information as is necessary for the protection
disclosed, except where such interests are of lawful rights and interests of natural or legal
overridden by fundamental rights and persons in court proceedings, or the
freedoms of the data subject which require establishment, exercise or defense of legal
protection under the Philippine Constitution. claims, or when provided to government or
public authority.
Criteria for Lawful Processing of Sensitive
Personal Information (and Privileged Consent of the Data Subject
Information)
➢ Refers to any freely given, specific,
The processing of sensitive personal informed indication of will, whereby the data
information and privileged information shall be subject agrees to the collection and processing
prohibited, except in the following cases: of personal information about and/or relating to
him or her.
(a) The data subject has given his or her
consent, specific to the purpose prior to the ➢ Consent shall be evidenced by written,
processing, or in the case of privileged electronic or recorded means.
information, all parties to the exchange have
given their consent prior to processing; ➢ It may also be given on behalf of the data
(b) The processing of the same is provided for subject by an agent specifically
by existing laws and regulations: authorized by the data subject to do so.
➢ Be informed whether personal information ➢ Reasonable access to, upon demand, the
pertaining to him or her shall be, following:
are being or have been processed; (1) Contents of his or her personal information
that were processed;
➢ Be furnished the information indicated
hereunder before the entry of his or her (2) Sources from which personal information
personal information into the processing were obtained;
system of the personal information controller,
or at the next practical opportunity: (3) Names and addresses of recipients of the
personal information;
(1) Description of the personal information to
be entered into the system; (4) Manner by which such data were
processed;
(2) Purposes for which they are being or are to
be processed; (5) Reasons for the disclosure of the personal
information to recipients;
(3) Scope and method of the personal
information processing; (6) Information on automated processes where
the data will or likely to be made as the sole
(4) The recipients or classes of recipients to basis for any decision significantly affecting or
whom they are or may be disclosed; will affect the data subject;
(5) Methods utilized for automated access, if (7) Date when his or her personal information
the same is allowed by the data subject, and concerning the data subject were last
the extent to which such access is authorized; accessed and modified; and
(6) The identity and contact details of the (8) The designation, or name or identity and
personal information controller or its address of the personal
representative; information controller;
(7) The period for which the information will be Right to Rectification or Correction
stored; and ➢ Dispute the inaccuracy or error in the
personal information and have the personal
(8) The existence of their rights, i.e., to access, information controller correct it immediately
correction, as well as the right to lodge a and accordingly, unless the request is
complaint before the Commission. vexatious or otherwise unreasonable.
Any information supplied or declaration made ➢ If the personal information have been
to the data subject on these matters shall not corrected, the personal information
be amended without prior notification of data controller shall ensure the accessibility of both
subject: Provided, That the notification under the new and the retracted information and the
subsection (b) shall not apply should the simultaneous receipt of the new and the
personal information be needed pursuant to a retracted information by recipients thereof:
subpoena or when the collection and Provided, That the third parties who have
processing are for obvious purposes, including previously received such processed personal
information shall he informed of its inaccuracy
and its rectification upon reasonable request of Non Applicability of the Rights of Data
the data subject; Subject25
Right to Damages