Overview of the

Data Privacy Act of 2012

What is the DPA?
The Data Privacy Act (DPA) is a new data protection framework that governs how
organizations collect, process, and use personal data across the Philippines (PHL). The
DPA took effect last September 2017 and imposes new rules on organizations in the PHL
and those that offer goods and services to people in the PHL, or that collect and analyze
data tied to people in the PHL, no matter where the organizations are located.

One Set of Rules Applies to 100% 72 Hours —

for all companies collecting, of companies that collect Time in which data
storing, or using the personal or process personal data breaches must generally
data of people in the PHL of people in the PHL, even be reported to National
if the data is stored or Privacy Commission
Penalties for Non-compliance:
1 to 7 years imprisonment and fine ranging from used outside the PHL
500,000 to 5 million pesos

DPO Required — Many businesses are required to appoint a

Data Protection Officer, including those processing high volumes of personal data
Purpose
To protect the fundamental human right of
privacy while ensuring the free flow of
information to promote innovation and
growth.

Material Scope
The law applies to the processing of all types
of personal information and to any natural
person or legal entity involved in personal
information processing.
What information does DPA
apply to?
Territorial Scope
Applies to data controllers and processors who
are located in the Philippines, use equipment
that is located in the Philippines or who
maintain an office, branch or agency in the
Philippines.

Also applies to actions outside of the territory

of the Philippines where the act, practice or
processing relates to personal data about a
Philippine citizen or resident, or where the
entity carries on business in the Philippines and
information is collected or held by an entity.
Personal Information
Refers to any information, whether recorded
in a material form or not, from which the
identity of an individual is apparent or can be
reasonably and directly ascertained by the
entity holding the information or when put
together with other information would directly
and certainly identify an individual.
Sensitive Personal Information

Sensitive personal data is personal data.

• Race, Ethnic Origin, Marital Status ,

• Age, Color,
• Religious, Philosophical or Political Affiliations
• Health, Education, Genetic, and Sexual Life
• Any proceeding for any offense committed
• Issued by government agencies
• Specifically kept classified by an EO or an act
of Congress
 The act excludes from scope information
necessary in order to carry out the functions
of public authority, which includes the
processing of personal data for the
performance by the independent, central
PUBLICLY monetary authority and law enforcement and
AVAILABLE
INFORMATION regulatory agencies of their constitutionally
and statutorily mandated functions.
Rights of Data Subjects
• Consent is required prior to the collection of all personal data.

• The data subject must be informed about the extent and purpose of
processing.
• Content is needed for the automated processing of personal data
sharing,
• for sharing information with affiliates or mother companies, and
• must be ‘feely given, specific, informed’ and must be evidenced by
recorded means.
• DATA PROCESSING AND RECORDING

• Consent is not required for processing where the data subject is

party to a contractual agreement, for purposes of fulfilling that
contract,
• for the protection of the vital interests of the data subject,
• as response to a national emergency, and
• for the legitimate interests of the data controller.
• AGREEMENT

• The law requires that when sharing data, the sharing must be covered
by an agreement that provides adequate safeguards for the rights of
the data subjects, and that these agreements are subject to review by
the National Privacy Commission.
Privacy Principles
Preventing Harm Principle
The requirement to notify affected data
subjects of a breach is predicated upon an
assessment of whether the unauthorized
acquisition is likely to give rise to a real risk of
serious harm to any affected data subject.

Lawfulness, Fairness and

Transparency
Personal data shall be processed fairly and
lawfully.
Purpose Limitation
Personal data should be collected for
specified and legitimate purposes determined
and declared before or as soon as reasonably
practicable after collection, and later
processed in a way compatible with such
declared, specified and legitimate purposes
only.

Data Minimization
Personal data shall be adequate and not
excessive in relation to the purposes for which
they are collected and processed.
Accuracy
Personal data should be accurate, relevant
and, where necessary for purposes for which
it is to be used to the processing of personal
information, kept up to date; inaccurate or
incomplete data must be rectified,
supplemented, destroyed or their further
processing restricted.

Storage Limitation
Personal data shall be retained only for as
long as necessary for the fulfillment of the
purposes for which the data was obtained or
for the establishment, exercise or defense of
legal claims, or for legitimate business
purposes or as provided by law.
Notice and Choice
The data subject is entitled to be informed
of the following:

• Information to be entered
• Purpose
• Scope and method of processing
• Recipients of information
• Methods of access
• Period of storage
• How to file a complaint
 The controller must implement reasonable and
appropriate organizational, physical and
technical measures intended for the protection
of personal information against any accidental
CONFIDENTIALITY, or unlawful destruction, alteration and
INTEGRITY
AND disclosure, as well as against any other unlawful
AVAILABILITY
processing.
Penalties
 • Ranging from P100,000 to P5,000,000

• Imprisonment of 1 year up to 6 years

• Unauthorized processing of personal information and sensitive personal

information
• Accessing personal information and sensitive personal information due to
negligence
• Improper disposal of personal information and sensitive personal
information
PENALTIES • Processing of personal information and sensitive personal information for
unathorized purposes
• Unauthorized access or intentional breach
• Concealment of security breaches involving sensitive personal information
• Malicious disclosure
• Unathorized disclosure
The DDB’s Privacy Agreement
 Dangerous Drugs Board Privacy Agreement

Please read the herein stated Agreement carefully and evidence your acceptance of its terms by clicking on the Agree
button below:

1. You understand and agree that this Agreement between you and the Dangerous Drugs Board covers the terms and
conditions of your use and access to the Integrated Drug Monitoring and Reporting Information System website online
service.
In offering this Website, DDB is making available to you the services, through the facilities of the Internet, which allow
you to access the IDMRIS database; to encode and view drug surrenderers’ data such as personal information,
intervention and other pertinent information regarding their rehabilitation; and anti-drug related efforts and activities
of your organisation.

2. The Dangerous Drugs Board is responsible for collecting all information and reports submitted to the IDMRIS by
authorised representatives of DDB partners/stakeholders.

3. The data collection is for analysis and monitoring of reports. The information gathered will be used as basis for the
development and improvement of policies and drug abuse intervention programs.
4. The information and reports generated from the IDMRIS may be shared to other authorised organizations, partner agencies
and local government units.

5. You as the DDB partner/stakeholder submitting to IDMRIS may only view, edit and access your own data on drug
surrenderers and anti-drug related efforts and activities.

6. You shall immediately notify us if there are errors or discrepancies in your data. When notifying us of possible security
breaches, please include your:
- Name and user ID
- Name of Agency/Organization
- Contact details
- Date and time of security breach or fraud
- Description or error that has occurred.

7. By your use and/or continued use of this Website, or access and use of the service provided through this Website, you signify
your agreement to indemnify and to keep the DDB, its directors, and employees fully and effectively indemnified against all
actions, liabilities, costs, claims, losses, damages, proceedings and/or expenses (including all legal costs on an indemnity basis)
without prejudice to the filing of any criminal case for violation of any statue or law.
8. Violation of any of the provisions of this agreement shall constitute breach and shall terminate
this agreement immediately without need of notice, without prejudice to criminal prosecution
for violation of RA 10173 otherwise known as the Data Privacy Act of 2012, as well as other
pertinent laws.

9. You understand that you may provide and receive information related to your Accounts via
this Website. By accessing the Website, you hereby agree to the above terms and conditions of
use.
Thank You!