Law DPA

[REPUBLIC ACT NO.
10173] a) The fact that the individual is or was an

officer or employee of the government
institution
 An act protecting individual personal
information in information and
b) The title, business address and office
communications systems in the government
telephone number of the individual
and the private sector, creating for this purpose
2. Information about an individual who is or was
a national privacy commission, and for other
performing service under contract for a
purposes
government institution that relates to the
This Act shall be known as the "Data Privacy Act of services performed and etc.
2012"
(basta government related individuals hindi sila
pwedeng kuhanan ng personal informations)
DATA PRIVACY PRINCIPLES

a) Collected for specified and legitimate PROCESSING OF PERSONAL DATA
purposes determined and declared before, or
 The processing of personal information shall
as soon as reasonably practicable after
be permitted only if not otherwise prohibited
collection.
by law, and when at least one of the following
conditions exists:
b) Processed fairly and lawfully
1) The data subject has given his or her
c) Accurate, relevant and, where necessary for
consent
purposes for which it is to be used the
processing of personal information.
2) The processing of personal
information is necessary and is related
d) Adequate and not excessive in relation to the
to the fulfillment of a contract with the
purposes for which they are collected and
data subject or in order to take steps at
processed
the request of the data subject prior to
entering into a contract.
e) Retained only for as long as necessary for the
fulfillment of the purposes for which the data
3) The processing is necessary for
was obtained or for the establishment.
compliance with a legal obligation to
which the personal information
f) Kept in a form which permits identification of
controller is subject
data subjects for no longer than is necessary
for the purposes for which the data were
4) The processing is necessary to protect
collected and processed: Provided.
vitally important interests of the data
subject, including life and health
SCOPE OF APPLICATION
 This Act applies to the processing of all types SECURITY MEASURE
of personal information and to any natural and
a) The personal information controller must
juridical person involved in personal
implement reasonable and appropriate
information processing including those
organizational, physical and technical
personal information controllers and
measures intended for the protection of
processors who, although not found or
personal information against any accidental or
established in the Philippines, use equipment
unlawful destruction, alteration and
that are located in the Philippines, or those
disclosure, as well as against any other
who maintain an office, branch or agency in
unlawful processing.
the Philippines. Except:
b) The personal information controller shall
1. Information about any individual who is or
implement reasonable and appropriate
was an officer or employee of a government
measures to protect personal information
institution that relates to the position or
against natural dangers such as accidental loss
functions of the individual, including:
or destruction, and human dangers such as 4) THE RIGHT TO ERASURE OR BLOCKING
unlawful access, fraudulent misuse, unlawful (suspend, withdraw, or order the blocking,
destruction. alteration and contamination. removal or destruction of your personal data)
(PIC, personal information controller, person or
5) THE RIGHT TO DAMAGES (you may claim
organization who controls the processing of personal
compensation from suffering damages due to
data, even if a person or organization decides to
inaccurate, incomplete, false, unlawfully
outsource or instruct another to perform the
obtained and used for unauthorized purposes
processing on its behalf it shall remain as the PIC)
considering any violation of your rights and
freedom as a data subject)
c) The determination of the appropriate level of 6) THE RIGHT TO FILE A COMPLAINT (if
security under this section must take into you feel that your personal information has
account the nature of the personal information been misused, maliciously disclosed or
to be protected, the risks represented by the improperly disposed or that any of your data
processing, the size of the organization and privacy rights has been violated you have the
complexity of its operations, current data right to file a complaint with national privacy
privacy best practices and the cost of security commission)
implementation.
7) THE RIGHT TO RECTIFY (you have the
d) The personal information controller must right to dispute and have corrected any
further ensure that third parties processing inaccuracy or error in the data that the
personal information on its behalf shall personal information controller holds about
implement the security measures required by you. the PIC should act immediately and
this provision. accordingly)
e) The employees, agents or representatives of a 8) THE RIGHT TO DATA PORTABILITY

personal information controller who are (this right assures that you remain in full
involved in the processing of personal control of your data. it allows you to obtain
information shall operate and hold personal and electronically move copy of transfer your
information under strict confidentiality if the data in a secure manner)
personal information are not intended for
public disclosure. Data Breach Notification
 A data breach happens when a security
incident results in a breach of confidentiality,
RIGHTS OF DATA SUBJECT availability. or of the data that the firm or
1) THE RIGHT TO BE INFORMED (your organization is responsible for. The
personal information shall never be collected, company/organization is required to notify the
processed, and stored by any organization supervisory authority without undue delay,
without your explicit consent, unless otherwise and at the latest within 72 hours of becoming
provided by law) aware of the breach. if that occurs and it is
likely that the breach poses a risk to a person's
2) THE RIGHT TO ACCESS (your right to find rights and freedoms.
out whether an organization holds any
personal data about you. with this right you  If the data breach provides high risk to people
may ask them to provide you a written involved, they should all be informed, unless
description of the kind of information they suitable technological and organizational
have about you and their purpose for holding safeguards have been put in place, or other
them) safeguards have been put in place to ensure
that the risk is no longer likely to materialize
3) THE RIGHT TO OBJECT (you can exercise (data breach, ito yung may nagkakaroon ng access sa
your right to object if the personal data data mo na hindi naman authorized, ito yung mga
processing involve is based on consent or on tinatawag na hacker)
legitimate interest)
 confidentiality breach - unauthorized REGISTRATION OF DATA
disclosure or access to personal data
MANDATORY REGISTRATION.
 integrity breach - alteration of personal data,  A PIC or PIP shall register its data processing
because it renders its correctness, systems if it is processing personal data and
completeness or reliability operating in the country under any conditions:
 availability breach - accidental or unlawful a) the PIC or PIP employs at least two hundred
destruction or loss of personal data fifty (250) employees
b) the processing includes sensitive personal

OUTSOURCING AND SUBCONTRACTING information of at least one thousand (1.000)
AGREEMENTS individuals
AGREEMENTS FOR OUTSOURCING. c) the processing is likely to pose a risk to the

 Processing by a personal information rights and freedoms of data subjects
processor shall be governed by a contract or
other legal act that binds the personal
information processor to the personal VOLUNTARY REGISTRATION.
information controller
 An application for registration by a PIC or PIP
whose data processing system does not operate
a) The contract or legal act shall set out the
under any of the conditions set out in the next
subject- matter and duration of the processing,
preceding Section shall be accepted as a
the nature and purpose of the processing, the
voluntary registration.
type of personal data and categories of data
subjects, the obligations and rights of the
personal information controller, and the
geographic location of the processing under
the subcontracting agreement.
b) The contract or other legal act shall stipulate,

in particular, that the personal information
processor shall
SUBCONTRACT OF PERSONAL DATA.

 A personal information controller may
subcontract or outsource the processing of
personal data: Provided, that the personal
information controller shall use contractual or
other reasonable means to ensure that proper
safeguards are in place, to ensure the
confidentiality. integrity and availability of the
personal data processed, prevent its use for
unauthorized purposes, and generally. comply
with the requirements of the Act. these Rules,
other applicable laws for processing of
personal data, and other issuances of the
Commission.

Law DPA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Law DPA

Uploaded by

Copyright:

Available Formats

[REPUBLIC ACT NO.

10173] a) The fact that the individual is or was an

DATA PRIVACY PRINCIPLES

e) The employees, agents or representatives of a 8) THE RIGHT TO DATA PORTABILITY

b) the processing includes sensitive personal

AGREEMENTS FOR OUTSOURCING. c) the processing is likely to pose a risk to the

b) The contract or other legal act shall stipulate,

SUBCONTRACT OF PERSONAL DATA.

You might also like