DATA PRIVACY ACT
ILLUSTRATION: A passenger of a bus took a picture
Commission - shall refer to the National Privacy
Commission created by virtue of this Act.
Consent of the data subject - refers to any freely given,
specific, informed indication of will, whereby the data
subject agrees to the collection and processing of
personal information about and/or relating to him or her.
Consent shall be evidenced by written, electronic or
recorded means. It may also be given on behalf of the
data subject by an agent specifically authorized by the
data subject to do so.
Data subject - refers to an individual whose information
is processed.
Direct marketing - refers to communication by
whatever means of any advertising or marketing
material which is directed to particular individuals.
Filing system - refers to any act of information relating
to natural or juridical persons to the extent that, although
the information is not processed by equipment operating
automatically in response to instructions given for that
purpose, the set is structured, either by reference to
individuals or by reference to criteria relating to
individuals, in such a way that specific information
relating to a particular person is readily available.
Information and Communication System - refers to a
system for generating, sending, receiving, storing or
otherwise processing electronic data messages or
electronic documents and includes the computer system
or other similar device by which data is recorded,
transmitted, or stored and any procedure related to the
recording, transmission or storage of electronic data,
electronic message, or electronic document.
Personal information controller - refers to a person or
organization who controls the collection, holding,
processing or use of personal information, including a
person or organization who instructs another person or
organization to collect, hold, process, use, transfer or
disclose personal information on his or her behalf. The
term excludes:
1) A person or organization who performs such
functions as instructed by another person or
organization; and
2) An individual who collects, holds, processes or uses
personal information in connection with the
individual’s personal, family or household affairs.
Personal information processor - refers to any natural
or juridical person qualified to act as such under this Act
to whom a personal information controller may
outsource the processing of personal data pertaining to
a data subject.
ILLUSTRATION: The Human Resource Department,
headed by the Executive Vice President for HR, is
tasked to collect information from applicants who may
eventually be hired and join the company according to
the directives of the Board of Directors. In this case,
the EVP for HR is the Personal Data Processor
because he/she processes the information only through
the directives of the BOD, the latter being the Personal
Data Controller.
of the conductor which he found to be cute. Can the
passenger be considered a personal information
controller?
ANSWER: No, because the processing of personal
information (the picture which bears the face and can
be used to identify the data subject) is only for
personal affairs.
SCOPE:
Applicability:
1) The processing of all types of personal
information and
2) To any natural and juridical person involved in
personal information processing including those
personal information controllers and processors
who, although not found or established in the
Philippines, use equipment that are located in the
Philippines, or those who maintain an office, branch
or agency in the Philippines subject to the
immediately succeeding paragraph.
Does not apply to:
1) Information about any individual who is or was an
officer or employee of a government institution
that relates to the position or functions of the
individual, including:
a) The fact that the individual is or was an officer
of employee of the government institution;
b) The title, business address and office telephone
number of the individual;
c) The classification, salary range, and
responsibilities of the position held by the
individual; and
d) The name of the individual on a document
prepared by the individual in the course of
employment with the government;
2) Information about an individual who is or was
performing service under contact for a
government constitution that relates to the services
performed, including the terms of the contract, and
the name of the individual given in the course of the
performance of those services;
3) Information relating to any discretionary benefit of
a financial nature such as the granting of a license
or permit given by the government to an individual,
including the name of the individual and the exact
nature of the benefit;
4) Personal information processed for journalistic,
artistic, literary or research purposes;
5) Information necessary in order to carry out the
functions of public authority which includes the
processing of personal data for the performance by
the independent, central monetary authority and law
enforcement and regulatory agencies of their
constitutionally and statutorily mandated functions.
No amendments or repeal to the following laws:
a) RA no. 1405 Secrecy of Bank Deposit Act
b) RA no. 6426 Foreign Currency Deposit Act
c) RA no. 9510 Credit Information System Act
6) Information necessary for banks and other
financial institutions under the jurisdiction of the
independent, central monetary authority or BSP to
comply with the CISA and RA 9160 as amended,
otherwise known as AMLA and other applicable
laws.
7) Personal information originally collected from the
residents of foreign jurisdictions in accordance
with the laws of those foreign jurisdictions,
including any applicable data privacy laws, which is
being processed in the Philippines.
Protection Afforded to Journalists and Their Sources:
No amendment or repeal of RA no. 53, which affords
the publishers, editors or duly accredited reporters of
any newspaper, magazine or periodical of general
circulation protection from being compelled to reveal
the source of any news report or information appearing
in said publication which was related to any confidence
to such publisher, editor, or reporter.
Extraterritorial Application: The Data Privacy Act
applies to an act done or practice engaged in and outside
of the Philippines by an entity if:
1) The act, practice or processing related to personal
information about a Philippine citizen or a resident;
2) The entity has a link with the Philippines, and the
entity is processing personal information in the
Philippines or even if the processing is outside the
Philippines as long as it is about Philippine citizens
or residents such as, but not limited to, the
following:
a) A contract is entered in the Philippines;
b) A juridical entity unincorporated in the
Philippines but has central management and
control in the country; and
c) An entity that has a branch, agency, office or
subsidiary in the Philippines and the parent or
affiliate of the Philippine entity has access to
personal information; and
3) The entity has other links in the Philippines such as,
but not limited to:
a) The entity carries on business in the
Philippines; and
b) The personal information was collected or held
by an entity in the Philippines
The National Privacy Commission
Functions of the National Privacy Commission: The
Data Privacy commission was created to administer and
implement the provisions of the Data Privacy Act and to
monitor and ensure compliance of the country with
international standards set for data protection. Its
functions include:
1) Ensure compliance of personal information
controllers with the provisions of this Act;
2) Receive complaints, institute investigations,
facilitate or enable settlement of complaints through
the use of alternative dispute resolution processes,
adjudicate, award indemnity on matters affecting
any personal information, prepare reports on
disposition of complaints and resolution of any
investigation it initiates, and, in cases it deems
appropriate, publicize any such report: Provided,
That in resolving any complaint or investigation
(except where amicable settlement is reached by the
parties), the Commission shall act as a collegial
body. For this purpose; the Commission may be
given access to personal information that is subject
of any complaint and to collect the information
necessary to perform its functions under this Act:
3) Issue cease and desist orders, impose a temporary or
permanent ban on the processing of personal
information, upon finding that the processing will
be detrimental to national security and public
interest;
4) Compel or petition any entity, government agency
or instrumentality to abide by its orders or take
action on a matter affecting data privacy;
5) Monitor the compliance of other government
agencies or instrumentalities on their security and
technical measures and recommend the necessary
action in order to meet minimum standards for
protection of personal information pursuant to this
Act;
6) Coordinate with other government agencies and the
private sector on torts to formulate and implement
plans and policies to strengthen the protection of
personal information in the country;
7) Publish on a regular basis a guide to all laws
relating to data protection;
8) Publish a compilation of agency system of records
and notices, including index and other finding aids;
9) To recommend to the Department of Justice (DOJ)
the prosecution and imposition of penalties provided
under the Act;
10) Review, approve, reject or require modification of
privacy codes voluntarily adhered to by a personal
information controller. Provided, That the privacy
codes shall adhere to the underlying data privacy
principles embodied in this Act. Provided, further,
That such privacy codes may include private dispute
resolution mechanisms for complaints against any
participating personal information controller. For
this purpose, the Commission shall consult with
relevant regulatory agencies in the formulation and
ministration of privacy codes applying the standards
set out in this Act, with respect to the persons,
 entities, business activities and business sectors that
said regulatory bodies are authorized to principally
regulate pursuant to the law: Provided, finally, That
the Commission may review such privacy codes and
require changes thereto for purposes of complying
with the Data Privacy Act;
11) Provide assistance on matters relating to privacy or
data protection at the request of a national or local
agency, a private entity or any person;
12) Comment on the implication on data privacy of
proposed national or local statutes, regulations or
procedures, issue advisory opinions and interpret
the provisions of this Act and other data privacy
laws;
13) Propose legislation, amendments or modifications
to Philippine laws on privacy or data protection as
may be necessary;
14) Ensure proper and effective coordination with data
privacy regulators in other countries and private
accountability agents, participate in international
and regional initiatives for data privacy protection;
15) Negotiate and contract with other data privacy
authorities of other countries for cross-border
application and implementation of respective
privacy laws;
16) Assist Philippine companies doing business abroad
to respond to foreign privacy or data protection laws
and regulations;
17) Generally perform such acts as may be necessary to
facilitate cross-border enforcement of data privacy
protection.
Confidentiality: The Commission shall ensure at all
times the confidentiality of any personal information
that comes to its knowledge and possession.
Organizational Structure of the Commission: The
Commission shall be attached to the Department of
Information and Communications Technology (DICT)
and shall be headed by a Privacy Commissioner, who
shall also act as Chairman of the Commission.
The Privacy Commissioner shall enjoy the benefits,
privileges and emoluments equivalent to the rank of
Secretary.
The Privacy Commissioner shall be assisted by two (2)
Deputy Privacy Commissioners, one to be responsible
for Data Processing Systems and one to be responsible
for Policies and Planning.
They shall enjoy the benefits, privileges and
emoluments to the rank of Undersecretary.
Term and Vacancy: The Privacy Commissioner and the
two (2) Deputy Privacy Commissioners shall be
appointed by the President of the Philippines for a term
of three (3) years and may be reappointed for another
term of three (3) years. Vacancies in the Commission
shall be filled in the same manner in which the original
appointment was made.
Qualifications of The Privacy Commissioner:
1) At least thirty-five (35) years of age;
2) Of good moral character, unquestionable integrity
and known probity, and
3) A recognized expert in the field of information
technology and data privacy
The Deputy Privacy Commissioners must be recognized
experts in the field of information technology and data
privacy.
Acts done in good faith: The Privacy Commissioner, the
Deputy Privacy Commissioners, or any person acting on
their behalf or under their direction, shall not be civilly
liable for acts done in good faith in the performance of
their duties.
However, he or she shall be liable for willful or
negligent acts done by him or her which are contrary to
law, morals, public policy and good customs even if he
or she acted under orders or instructions of superiors. In
case a lawsuit is filed against such official on the subject
of the performance of his or her duties, where such
performance is lawful, he or she shall be reimbursed by
the Commission for reasonable costs of litigation.
The Secretariat: Majority of the members of the
Secretariat must have served for at least five (5) years in
any agency of the government that is involved in the
processing of personal information including, but not
limited to, the following offices: SSS, GSIS, LTO, BIR,
PhilHealth, COMELEC, DFA, DOJ, and Philpost.
PROCESSING OF PERSONAL INFORMATION
Processing refers to any operation or any set of
operations performed upon personal information
including, but not limited to:
1) Collection
2) Recording
3) Organization
4) Storage
5) Updating or Modification
6) Retrieval
7) Consultation
8) Use
9) Consolidation
10) Blocking
11) Erasure; or
12) Destruction of Data
General Data Privacy Principles: The processing of
personal information shall be allowed, subject to:
1) Compliance with the requirements of the Data
Privacy Act and other laws allowing disclosure of
information to the public and
2) Adherence to the following principles:
1. Principle of Proportionality: The processing of
Personal data shall be adequate, relevant, suitable,
necessary, and not excessive in relation to a
declared and specified purpose. Personal data shall
be processed by the Company only if the purpose of
processing could not be reasonably be fulfilled by
other means
2. Principle of Legitimate Purpose: The processing
of personal data by the company shall be
compatible with a declared and specified purpose
which must not be contrary to law, morals, or public
policy
3. Principle of Transparency: The Data Subject must
be aware of the nature, purpose, and extent of the
Processing of his or her Personal Data by the
company, including the risks and safeguards
involved, the identity of persons and entities
involved in processing his or her Personal Data, his
or her rights as a Data Subject, and how these can
be exercised. Any information and communication
relating to the Processing of Personal Data should
be easy to access and understand, using clear and
plain language.
ILLUSTRATION: A customer wants to apply for a
loyalty rewards card. The customer service
representative asks the customer to fill-out a form
which includes information for blood type and
political affiliation. Can the company collect such
information?
ANSWER: No, because of the principle of
proportionality. Information relating to blood type and
political affiliation may be considered as going beyond
the necessary information necessary for the purpose of
processing which is his application for a loyalty
rewards card.
PERSONAL INFORMATION, whether recorded in a
material form or not, are those from which the identity
of an individual:
1. is apparent, or
2. can be reasonably and directly ascertained by the
entity holding the information, or
3. when put together with other information would
directly and certainly identify an individual
Examples: include the Data Owner's Name, Home
address and Phone number
Personal information must be:
1) Collected for specified and legitimate purposes
determined and declared before, as soon as
reasonably practicable after collection, and later
processed in a way compatible with such declared,
specified and legitimate purposes only;
2) Processed fairly and lawfully;
3) Accurate, relevant and, where necessary for
purposes for which is to be used the processing of
personal information, kept up to date; inaccurate or
incomplete data must be rectified, supplemented,
destroyed or then further processing restricted;
4) Adequate and not excessive in relation to the
purposes for which they are collected and
processed;
5) Retained only for as long as necessary for the
fulfillment of the purpose for which the data was
obtained or for the establishment, exercise or
defense of legal claims, or for legitimate business
purposes, or a provided by law; and
6) Kept in a form which permits identification of data
subjects for no longer than is necessary for the
purposes for which the data were collected and
processed: Provided, That personal information
collected for other purposes may lie processed for
historical, statistical or scientific purposes, and in
cases laid down in law may be stored for longer
periods: Provided, further, That adequate
safeguards are guaranteed by said laws authorizing
their processing.
The personal information controller must ensure
implementation of personal information processing
principles set out herein.
CRITERIA FOR LAWFUL PROCESSING OF
PERSONAL INFORMATION
The processing of personal information shall be
permitted only if no otherwise prohibited by law, and
when at least one of the following conditions exists:
1. The data subject has given his or her consent;
2. The processing of personal information is necessary
and is related to the fulfillment of a contract with
the data subject or in order to take steps at the
request of the data subject prior to entering into a
contract;
3. The processing is necessary for compliance with a
legal obligation to which the personal information
controller is subject;
4. The processing is necessary to protect vitally
important interests of the data subject, including life
and health;
5. The processing is necessary in order to respond to
national emergency, ho comply with the
requirements of public order and safety, or to fulfill
functions of public authority which necessarily
includes the processing of personal data for the
fulfillment of its mandate: or
6. The processing is necessary for the purposes of the
legitimate interests pursued by the personal
information controller or by a third party or parties
to whom the data is disclosed, except where such
interests are overridden by fundamental rights and
freedoms of the data subject which require
protection under the Philippine Constitution.
PRIVILEGED INFORMATION this refers to any and
all forms of data which under the Rules of Court and
other pertinent laws constitute privileged
communication.
Examples include:
1) Attorney-client privileged information
2) Doctor-patient privileged information
3) Marital privilege communication
4) Priest-confessor privileged information
SENSITIVE PERSONAL INFORMATION
This refers to personal information:
1. About an individual's race, ethnic origin, marital
status, age, color, and religious, philosophical or
political affiliations;
2. About an individual's health, education, genetic or
sexual life of a person, or to any proceeding for any
offense committed or alleged to have been
committed by such person, the disposal of such
proceedings, or the sentence of any court in such
proceedings;
3. Issued by government agencies peculiar to an
individual which includes, but not limited to, social
security numbers, previous or current health
records, licenses or its denials, suspension or
revocation, and tax returns; and
4. Specifically established by an executive order or an
act of Congress to be kept classified.
Sensitive Personal Information and Privileged
Information: The processing of sensitive personal
information and privileged information shall be
prohibited, except in the following cases:
1) The data subject has given his or her consent,
specific to the purpose prior to the processing, or in
the case of privileged information, all parties to the
exchange have given their consent prior to
processing;
2) The processing of the same is provided for by
existing laws and regulations, provided:
a) Such regulatory enactments guarantee the
protection of the sensitive personal information
and the privileged information; and
b) The consent of the data subject is not required
by law or regulation permitting the processing
of the sensitive personal information or the
privileged information;
3. The processing is necessary to protect the life and
health of the data subject or another person, and the
data subject is not legally or physically able to
express his or her consent prior to the processing;
4. The processing is necessary to achieve the lawful
and noncommercial objectives of public
organizations and their associations: provided:
a) That such processing is only confined and
related to their, fie members of these
organizations or their associations;
b) That the sensitive personal information is not
transferred to their parties; and
c) That consent of the data subject was obtained
prior to processing
5. The processing is necessary for purposes of medical
treatment, is carried out by a medical practitioner or
a medical treatment institution, and an adequate
level of protection of personal information is
ensured; or
6. The processing concerns such personal information
as is necessary for the protection of lawful rights
and interests of natural or legal persons in court
proceedings, or the establishment, exercise or
defense of legal claims, or when provided to
government or public authority.
ILLUSTRATION: A doctor logs in the symptoms and
medications prescribed of a particular client. Is the
doctor allowed to collect and process such
information?
ANSWER: Yes. Because it would fall on the medical
exception which is performed by a medical
practitioner.
ILLUSTRATION: The employee is being required to
provide his SSS, PAGIBIG, PhilHealth numbers to the
employer. Can the employer lawfully collect such
information?
ANSWER: Yes, because the processing of the same,
even though they are sensitive personal information is
provided for by existing laws and are necessary for the
company to comply with existing laws and regulations.
ILLUSTRATION: A card dealer is asking a potential
buyer to fill-out a form which includes the name,
credit card details (as mode of payment) address and
racial origin of the buyer. Can the car dealer legally
process the same?
ANSWER: As to the mare, and address, yes, since the
processing of the same is necessary and is related to
the fulfillment of a contract with the data subject or in
order to take steps at the request of the data subject
prior to entering into a contract.
As to the credit card details, being sensitive personal
information, consent must first be obtained to lawfully
process the same.
As to the racial origin, no, since it violates the
principle of proportionality, even if the data subject
gives his consent.
Subcontract of Personal Information: A personal
information controller may subcontract the processing of
personal information.
The personal information controller shall be responsible
for ensuring that proper safeguards are in place to
ensure:
1) The confidentiality of the personal information
processed,
2) Prevent its use for unauthorized purposes, and f) The identity and contact details of the
generally, personal information controller or its
representative;
3) Comply with the requirements of the Data Privacy
Act and other laws for processing of personal g) The period for which the information will be
information. stored; and
The personal information processor shall comply with h) The existence of their rights, i.e., to access,
all the requirements of the Data Privacy Act and other correction, as well as the right to lodge a
applicable laws. complaint before the Commission.
2. Right to Object - The data subject shall have the
right to object to the processing of his or her
Extension of Privileged Communication: Personal
personal data, including processing for direct
information controllers may invoke the principle of
marketing, automated processing or profiling.
privileged communication over privileged information
that they lawfully control or process. Subject to existing 3. Right to Withhold Consent - The data subject
laws and regulations, any evidence gathered on shall be notified and given an opportunity to
privileged information is inadmissible. withhold consent to the processing in case of
changes or any amendment to the information
ILLUSTRATION: Examples of Personal Information
supplied or declared to the data subject in the
(PI), Sensitive Personal Information (SPI) or Privileged
preceding paragraph.
Information (Privileged)
Amendment of information: Any information supplied or
Information TYPE
declaration made to the data subject on these matters
Gender SPI shall not be amended without prior notification of the
School graduated from and date SPI data subject. Except: the notification shall not apply
graduated should the personal information be needed pursuant to a
subpoena or when the collection and processing are for
E-mail address PI obvious purposes, including when it is necessary for the
Laptop’s IP address PI performance of or in relation to a contract of service or
when necessary or desirable in the context of an
Bank Account Number SPI employer- employee relationship, between the collector
Home Address PI and the data subject, or when the information is being
collected and processed as a result of legal obligation.
Income tax Return SPI
4. Right to Access - The data subject has reasonable
Location tracked using an app PI access to, upon demand, the following:
Court cases filed against the individual SPI a) Contents of his or her personal information that
Disclosures made to an auditor Prvlgd were processed;
b) Sources from which personal information were
obtained;
Rights of the Data Subject:
c) Names and addresses of recipients of the
1. Right to Informed Consent - The data subject personal information;
shall be informed whether personal information
pertaining to him or her shall be, are being or have d) Manner by which such data were processed;
been processed; e) Reasons for the disclosure of the personal
The following information must be provided before the information to recipients;
entry of the personal information into the processing f) Information on automated processes where
system, or at the next practical opportunity: the data will or likely to be made as the sole
a) Description of the personal information to be basis for any decision significantly affecting or
entered into the system; will affect the data subject;

b) Purposes for which they are being or are to be
processed;
c) Scope and method of the personal information
processing;
d) The recipients or classes of recipients to
whom they are or may be disclosed;
e) Methods utilized for automated access, if the
same is allowed by the data subject, and the
extent to which such access is authorized;
g) Date when his or her personal information
concerning the data subject were last accessed
and modified; and
h) The designation, or name or identity and
address of the personal data controller
5. Right to Correction - The data subject shall have
the right to dispute the inaccuracy or error in the
personal information and have the personal
information controller correct it immediately and
accordingly, unless the request is vexatious or
otherwise unreasonable.
If the personal information has been corrected, the
personal information controller shall ensure the
accessibility of both the new and retracted information
and the simultaneous receipt of new and retracted
information by recipients thereof: Provided, That the
third parties have previously received such processed
personal information shall be informed of its inaccuracy
and its rectification upon reasonable request of the data
subject;
6. Right to Erasure - the data subject shall have the
right to suspend, withdrawal or order the blocking,
removal or destruction of his or her personal
information from the personal information
controller’s filing system upon discovery and
substantial proof that the personal information is
incomplete, outdated, false, unlawfully obtained,
used for unauthorized purposes or are no longer
necessary for the purposes for which they were
collected. In this case, the personal information
controller may notify third parties who have
previously received such processed personal
information;
7. Right to Damages - The data subject shall be
indemnified for any damages sustained due to such
inaccurate, incomplete, outdated, false unlawfully
obtained or unauthorized use of personal
information.
8. Right to Data Portability - The right of the data
subject to obtain from the personal information
controller a copy of data, where personal
information is processed:
a) by electronic means and
b) in a structured and commonly used format
The Commission may specify the electronic format
referred to above, as well as the technical standards,
modalities and procedures for their transfer.
Transmissibility of Rights of the Data Subject - The
lawful heirs and assigns of the data subject may invoke
the rights of the data subject for which he or she is an
heir or assignee at any time after the death of the data
subject or when the data subject is incapacitated or
incapable of exercising the right as enumerated above.
Non-Applicability of Rights - The above rights of a data
subject are not applicable:
1) If the processed personal information is used only
for the needs of scientific and statistical research
and, on the basis of such, no activities are carried
out and no decisions are taken regarding the data
subject: Provided, That the personal information
shall be held under strict confidentiality and shall be
used only for the declared purpose; and
2) To processing of personal information gathered for
the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data
subject.
SECURITY OF PERSONAL INFORMATION
Security of Personal Information:
1. The personal information controller must implement
reasonable and appropriate organizational, physical
and technical measures intended for the protection
of personal information against any accidental or
unlawful destruction, alteration and disclosure,
as well as against any other unlawful processing.
2. The personal information controller shall implement
reasonable and appropriate measures to protect
personal information against natural dangers such
as accidental loss or destruction, and human dangers
such as unlawful access, fraudulent misuse,
unlawful destruction, alteration and contamination.
3. The determination of the appropriate level of
security must take into account (1) the nature of
the personal information to be protected, (2) the
risks represented by the processing, (3) the size of
the organization and complexity of its operations,
(4) current data privacy best practices and (5) the
cost of security implementation.
Subject to guidelines as the Commission may issue from
time to time, the measures implemented must include:
a. Safeguards to protect its computer network against
accidental, unlawful or unauthorized usage or
interference with or hindering of their functioning
or availability;
b. A security policy with respect to the processing of
personal information;
c. A process for identifying and accessing
reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive
corrective and mitigating action against security
incidents that can lead to a security breach; and
d. Regular monitoring for security breaches and a
process for taking preventive, corrective and
mitigating action against security incidents that can
lead to a security breach.
4. The personal information controller must further
ensure that third parties processing personal
information on its behalf shall implement the
security measures required by this provision.
5. The employees, agents or representatives of a
personal information controller who are involved in
the processing of personal information shall operate
and hold personal information under strict
confidentiality if the personal information is not
intended for public disclosure. This obligation shall
continue even after leaving the public service,
transfer to another position or upon termination of
employment or contractual relations.
6. The personal information controller shall promptly
notify the Commission and affected data subjects
when sensitive personal information or other
information that may, under the circumstances, be
used to enable identity fraud are reasonably
believed to have been acquired by an
unauthorized person, and the personal information
controller or the Commission believes that such
unauthorized acquisition is likely to give rise to a
real risk of serious harm to any affected data
subject.
Notification to the Commission - The notification shall
at least describe the nature of the breach, the sensitive
personal information possibly involved, and the
measures taken by the entity to address the breath
Notification may be delayed only to the extent necessary
to determine e scope of the breach, to prevent further
disclosures, or to restore reasonable integrity to the
information and communications system
a. In evaluating if notification is unwarranted, the
Commission may take into account compliance by
the personal information controller with this
provision and existence of good faith in the
acquisition of personal information.
b. The Commission may exempt a personal
information controller from the notification where,
in its reasonable judgment, such notification would
not be in the public interest or in the interests of the
affected data subjects.
c. The Commission may authorize postponement of
notification where it may hinder the progress of a
criminal investigation related to a serious breach.
Period to Report - If there is likelihood of risk to
individuals, the data processor must report data breaches
within 72 hours.
ACCOUNTABILITY FOR TRANSFER OF
PERSONAL INFORMATION
Principle of Accountability - Each personal information
controller is responsible for personal information under
its control or custody, including information that has
been transferred to a third party for processing, whether
domestically or internationally, subject to cross-border
arrangement and cooperation.
1) The personal information controller is accountable
for complying with the requirements of the Data
Privacy Act and shall use contractual or other
reasonable means to provide a comparable level of
protection while the information is being processed
by a third party.
2) Data Protection Officer: The personal information
controller shall designate an individual or
individuals who are accountable for the
organization's compliance with the Data Privacy
Act. The identity of the individual(s) so designated
shall be made known to any data subject upon
request.
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT
Responsibility of Heads of Agencies - All sensitive
personal information maintained by the government,
its agencies and instrumentalities shall be assured, as far
as practicable, with the use of the most appropriate
standard recognized by the information and
communications technology industry, and is
recommended by the Commission.
The head of each government agency or
instrumentality shall be responsible for complying
with the security requirements mentioned while the
Commission shall monitor the compliance and may
recommend the necessary action in order to satisfy the
minimum standards.
Requirements Relating to Access by Agency Personnel
to Sensitive Personal Information:
1. On-site and Online Access - Except as may be
allowed through guidelines to be issued by the
Commission, no employee of the government shall
have access to sensitive personal information on
government property or through online facilities
unless the employee has received a security
clearance from the head of the source agency.
2. Off-site Access - Unless otherwise provided in
guidelines to be issued by the Commission,
sensitive personal information maintained by an
agency may not be transported or accessed from
a location of government property unless a request
for such transportation or access is submitted
and approved by the head of the agency in
accordance with the following guidelines:
a) Deadline for Approval or Disapproval - in
the case of any request submitted to the head of
an agency, such head of the agency shall
approve or disapprove the request within two
(2) business days after the date of submission
of the request.
In case there is no action by the head of the agency,
then such request is considered disapproved;
b) Limitation to 1,000 Records - If a request is
approved, the head d the agency shall limit the
access to not more than one thousand (1,000)
records at a time; and
c) Encryption - Any technology used to store,
transport or acres sensitive personal information
for purposes of off-site acres approved under
this subsection shall be secured by the use of
the most secure encryption standard
recognized by the Commission
Applicability to Government Contractors - In entering
into any contract that may involve accessing or requiring
sensitive personal information from one thousand
(4,000) or more individuals, an agency shall require a
contractor and its employees to register their
personal information processing system with the
Commission in accordance with the Data Privacy Act
and to comply with the other provisions of said Act in
the same manner as agencies and government employees
comply with such requirements.
6) Concealment of Security Breaches Involving
UNLAWFUL ACTS AND PENALTIES
1) Unauthorized Processing - any person who
processes personal information without the consent
of the data subject, or without being authorized
under the Data Privacy Act or any existing law.
Penalties:
data confidentiality and security data systems,
breaks in any way into any system where personal
and sensitive personal information is stored. Penalty
shall be imprisonment of 1 year to 3 years and a fine
of P500,000 to P2,000,000.
Sensitive Personal Information - any person who,
later having knowledge of a security breach and of
the obligation to notify the Commission,
intentionally or by omission conceals the fact of
such security breach. The penalty shall be
imprisonment of 1 year and 6 months to 5 years and
a fine of P500,000 to P1,000,000.

Type of Info Imprisonment Fine 7) Malicious Disclosure - Any personal information

controller or personal information processor or any
Personal of its officials, employees or agents, who, with
1 to 3 years P500,000 - P2M
Information malice or in bad faith, discloses unwarranted or
Sensitive Personal false information relative to any personal
3 to 6 years P500,000 - P4M information or personal sensitive information
Information
obtained by him or her. The penalty shall be
imprisonment of 1 year and 6 months to 5 years and
2) Access - any person who, due to negligence, a fine of P500,000 to P1,000,000.
provided access to personal information without 8) Unauthorized Disclosure - Any personal
being authorized under the Data Privacy Act or any information controller or personal information
existing law. Penalties: processor or any of its officials, employees p agents,
Type of Info Imprisonment Fine who discloses to a third party personal or sensitive
personal information, not covered by Malicious
Personal Disclosure above, without the consent of the data
1 to 3 years P500,000 - P2M
Information subject. The penalties:
Sensitive Personal Type of Info Imprisonment Fine
3 to 6 years P500,000 - P4M
Information
Personal
1 to 3 years P500,000 - P1M
Information
3) Improper Disposal - any person who knowingly or Sensitive Personal
negligently disposes, discards or abandons the 3 to 5 years P500,000 - P2M
Information
personal information of an individual in an area
accessible to the public or has otherwise placed the
personal information of an individual in its 9) Combination or Series of Acts - any combination or
container for trash collection. Penalties: series of acts as defined in above shall make the
Type of Info Imprisonment Fine person subject to imprisonment of 3 years to 6 years
and a fine of P1,000,000 to P5,000,000.
Personal 6 months to 2 P100,000 -
Information years P500,000
Sensitive Personal Extent of Liability:
1 to 3 years P100,000 - P1M
Information 1. Juridical Persons - If the offender is a corporation,
partnership or any juridical person, the penalty shall
be imposed upon the responsible officers, as the
4) Processing for Unauthorized Purpose - processing case may be, who participated in by their gross
personal information for purposes not authorized by negligence, allowed the commission of the crime. If
the data subject, or otherwise authorized under this the offender is a juridical person, the court may
Act or under existing laws. Penalties: suspend or revoke any of its rights under the Data
Type of Info Imprisonment Fine Privacy Act.
Personal 1 year and 6 2. Alien - if the offender is an alien, he or she shall, in
Information months to 3 P500,000 - P1M addition to the penalties above, be deported
years without further proceedings after serving the
penalties prescribed.
Sensitive Personal
2 to 7 years P500,000 - P2M 3. Large-Scale - the maximum penalty in the scale of
Information
penalties respectively provided shall be imposed
when the personal information of at least one
5) Unauthorized Access or Intentional Breach - any hundred (100) persons is harmed, affected or
person who knowingly and unlawfully, or violating
 involved as the result of the above-mentioned
actions.
4. Public Official or Employee - If the offender is a
public official or employee and he or she is found
guilty of Improper Disposal of Personal information
and Sensitive Personal Information and Processing
of personal Information and Sensitive Personal
Information for Unauthorized Persons, he or she
shall, in addition to the penalties prescribed, suffer
perpetual or temporary absolute disqualification
from office, as the case may be.
5. Offense Committed by Public Officer - When the
offender or the person responsible for the offense is
a public officer as defined in the Administrative
Code of the Philippines in the exercise of his or her
duties, an accessory penalty consisting in the
disqualification to occupy public office for a term
double the term of criminal penalty imposed shall
he applied.
6. Restitution - Restitution for any aggrieved party
shall be governed by the provisions of the New
Civil Code.
MULTIPLE CHOICE QUESTIONS
1) It refers to communication by whatever means of
any advertising or marketing material which is
directed to particular individuals.
a. Direct Marketing
b. Direct Communication
c. Direct Advertising
d. Direct Infringement
2) It refers to a person or organization who controls the
collection, holding, processing or use of personal
information, including a person or organization who
instructs another person or organization to collect,
hold, process, use, transfer or disclose personal
information on his or her behalf
a. Personal Information Collector
b. Personal Information Controller
c. Personal Information Manager
d. Personal Information Repository
3) It refers to an individual whose personal
information is processed.
a. Personal Information Provider
b. Personal Information Holder
c. Data Subject
d. Data Person
4) Anita obtains the addresses of her customers for her
food business, so that she may be able to deliver her
goods efficiently. Bonnie obtains the names and age
of her students as part of her record-keeping as
adviser of the class. Cassie obtains emails and
phone numbers of her friends to save on her phone.
Who among them is a personal information
controller?
a. Anita only
b. Anita and Bonnie only
c. Anita and Cassie only
d. Bonnie and Cassie only
5) Winnie, a personal information processor, is
charged with violation of the Data Privacy Act. The
violation consists of two acts. First, Winnie revealed
the salary range of Sally, an Administrative Officer
III at the Department of Finance, Second, Winnie,
in publishing her research, disclosed the ages and
sexes of the respondents to her survey. Is Winnie
liable for violation of the Data Privacy Act?
a. No
b. Yes, but only as to the first act
c. Yes, but only to the second act
d. Yes, on both acts
6) Which of the following statements is true regarding
news sources of journalists?
a. Journalists are compelled to reveal the source of
any news report.
b. Journalists, by order of a competent court, are
compelled to reveal the source of any news
report.
c. Journalists are compelled to reveal details
regarding sources of any news report except
those classified as sensitive personal
information.
d. Journalists are not compelled to reveal the
source of any news report.
7) Which of the following is not included in the
application of the Data Privacy Act?
I. Information about an individual who is or was
performing service under contract for a banking
institution that relates to the services performed
II. Information necessary for banks and other
financial institutions to comply with the Anti-Money
Laundering Act
a. I only.
b. II only.
c. I and II only.
d. Neither I nor II.
8) Which of the following statements is true regarding
a personal information controller outside the
Philippines?
a. A personal information controller outside the
Philippines is not covered by the Data Privacy
Act if the personal information pertains to
Philippine citizens
b. A personal information controller outside the
Philippines is not covered by the Data Privacy
Act if the personal information pertains to
Philippine residents
c. A personal information controller inside the
Philippines is not covered by the Data Privacy
 Act if the personal information pertains to non-
residents 14) This principle provides that the Processing of
d. A personal information controller outside Personal Data by the Company shall be compatible
the Philippines is covered by the Data with a declared and specified purpose which must
Privacy Act if the personal information not be contrary to law, morals, or public policy.
pertains to residents or citizens
a. Principle of Transparency
b. Principle of Compatibility
9) The National Privacy Commission is an agency c. Principle of Legitimate Purpose
attached to: d. Principle of Adherence
a. Department of National Defense
b. Commission on Human Rights 15) Kris joined the raffle draw of Barry’s Supermarket
c. Department of Information and in the hopes of winning a 42” Smart TV. Kris
Communications Technology indicated her mobile phone number and email
d. Department of Privacy address in the form given for the raffle entry. The
form looked simple for Kris. It just contained empty
fields to be filled out, the logo of Barry’s
10) All of the following are qualifications of the Privacy
Supermarket, and the grand prizes to be won.
Commission except:
However, to her surprise, Kris soon received
a. At least thirty-five (35) years of age multiple promotions from different brands asking
b. A resident of the Philippines for at least two her to buy products at a discount. Her email inbox
(2) years soon became spammed as well with unwanted
c. Of good moral character, unquestionable promotion. Is there a data privacy principle
integrity and known probity violated?
d. A recognized expert in the field of information
a. None
technology and data privacy
b. Yes. The Principle of Proportionality was
violated
11) Which of the following acts performed upon c. Yes. The Principle of Legitimate Purpose was
personal information constitute processing? violated
d. Yes. The Principle of Transparency was
I. Collection violated.
II. Storage
III. Retrieval
IV. Erasure 16) Which of the following best defines the term
a. I and III only “personal information”?
b. II and IV only a. Those which the data subject would normally
c. I, II, and III only and reasonably regard as private in nature
d. I, II, III, and IV b. Those from which the identity of an
individual is apparent or can be reasonably
and directly ascertained
12) This principle provides that the Processing of c. Those from which the identity of an individual
Personal data shall be adequate, relevant, suitable, can be subject to identity theft
necessary, and not excessive in relation to a d. Those which the personal information
declared and specified purpose. controller would regard as having economic
a. Principle of Proportionality value
b. Principle of Legitimate Purpose
c. Principle of Relevance
d. Principle of Reasonable Extent 17) Statement 1: There can be no lawful processing of
personal information without the consent of the data
subject.
13) This principle provides that the Data Subject must Statement 2: If the processing is necessary for
be aware of the nature, purpose, and extent of the compliance with a legal obligation to which the
Processing of his or her Personal Data by the personal information controller is subject, then such
Company, including the risks and safeguards is considered as lawful processing by the Data
involved, the identity of persons and entities Privacy Act.
involved in processing his or her Personal Data, his
or her rights as a Data Subject, and how these can a. Only Statement 1 is true.
be exercised. b. Only Statement 2 is true.
c. Both statements are true.
a. Principle of Proportionality d. Both statements are not true.
b. Principle of Informed Consent
c. Principle of Awareness
d. Principle of Transparency
18) All of the following are privileged information, 23) Statement 1: A data subject shall have the right to
except: be informed of the purpose for which his personal
information is being taken.
a. Attorney-client privileged information
b. Doctor-patient privileged information Statement 2: A data subject shall have the right to
c. Priest-confessor privileged information be informed of the duration for which his personal
d. Bank-client privileged information information will be stored by the personal
information controller.
a. Only Statement 1 is true
b. Only Statement 2 is true
19) Which of the following is classified as sensitive c. Both statements are true
personal information? d. Both statements are not true
a. List of Facebook friends
b. Tax Returns
24) Which of the following is false regarding the rights
c. Credit card information
of a data subject?
d. Passwords
a. A data subject shall have the right to object to
the processing of his o her personal data,
20) Which of the following is not classified as sensitive including processing for direct marketing
personal information? automated processing or profiling
a. Bank account number b. A data subject can no longer object to the
b. Political affiliation processing of his data once he has given it to
c. High school grades a personal information processor.
d. Social security numbers c. A data subject can choose which personal
information will be subject to processing,
withholding from processing those which he
21) Mr. X was admitted to a hospital. He is suffering chooses otherwise.
from difficulty in breathing, high fever, and fatigue. d. If a personal information controller changes the
His symptoms are quickly worsening. The doctor purpose for which the personal information of
asked his wife as to previous admissions, but the the data subject is to be processed, the data
wife had no idea. Instead, the wife informed the subject may withhold consent.
doctor that he was previously admitted at BCD
Hospital, and they have the health records of Mr. X.
The doctor called at BCD Hospital, and BCD 25) A data subject has the right to access:
Hospital disclosed the health records to the doctor. I. The address of the personal information
Is there any breach of the Data Privacy Act with the controller
disclosure? II. Sources from which his personal information
a. Yes, because Mr. X did not give her consent. were obtained
b. No, because Mr. X's wife, as his duly a. I only.
authorized representative, gave her consent for b. II only
the disclosure. c. Both I and II
c. Yes, because health records are considered as d. Neither I nor II
sensitive personal information.
d. No, because the processing of the personal
26) A data subject has the right to data portability. This
information is necessary for purposes of
means that-
medical treatment.
a. A data subject can transfer his data from one
personal information controller to another
22) Which of the following information can a business b. A data subject can obtain a copy of his
organization obtain without violating the Data personal information
Privacy Act? c. A data subject can change the purpose for
I. Tax Identification Number of its employees which his personal information will be
II. Medical records for employees who have processed
signified that they wish to avail of the health insurance d. A data subject can dictate the format in which
benefit of the .company his personal information will be stored
III. Names of customers for purposes of issuing
invoices and official receipts
27) Which of the following is true regarding the data
a. I only
subject's right to correction?
b. I and III only
c. I and II only a. The personal information controller shall
d. I, II, and III ensure the accessibility of both the new and
the retracted information
 b. The data subject can exercise this right only
once
c. The personal information controller has no
obligation to inform third persons who may
have obtained the data prior to correction of the
correction made by the data subject
d. The personal information controller is obligated
to delete the retracted information.
28) In the event that the personal information controller
reasonably believe that sensitive personal
information has been acquired by unauthorized
person, the personal information controller has the
obligation to:
a. Notify the affected data subjects
b. Notify the National Privacy Commission
c. Notify all data subjects which the personal
information
d. Notify both the affected data subjects and
the National Privacy Commission
29) The data processor must report data breaches to the
NPC within a period of:
a. 24 hours
b. 48 hours
c. 72 hours
d. Five days
30) A data privacy violation is considered to be large
scale if.
a. the personal information of at least ten (10)
persons is harmed
b. the personal information of at least twenty (20)
persons is harmed
c. the personal information of at least one
hundred (100) persons is harmed
d. the personal information of at least one
thousand (1,000) persons is harmed
FINANCIAL REHABILITATION
AND INSOLVENCY ACT
INTRODUCTION
DECLARATION OF POLICY: It is the policy of the
State  to encourage debtors, both juridical and natural
persons, and their creditors to collectively and
realistically resolve and adjust competing claims and
property rights. In furtherance thereof, the State shall
ensure a timely, fair, transparent, effective and efficient
rehabilitation or liquidation of debtors. The
rehabilitation or liquidation shall be made with a view to
ensure or maintain certainty and predictability in
commercial affairs, preserve and maximize the value of
the assets of these debtors, recognize creditor rights and
respect priority of claims, and ensure equitable treatment
of creditors who are similarly situated. When
rehabilitation is not feasible, it is in the interest of the
State to facilitate a speedy and orderly liquidation of
these debtors’ assets and the settlement of their
obligations. (Section 2)
NATURE OR PROCEEDINGS:
1. In rem. Meaning it is a proceeding which binds the
whole world.
2. Jurisdiction over all persons affected shall be
acquired upon publication of the notice of
commencement in a newspaper of general
circulation in the Philippines.
3. Proceedings shall be summary and non-adversarial.
PURPOSE:
1) To encourage debtors and creditors to collectively
and realistically resolve and adjust competing
claims and property rights through rehabilitation.
2) If not feasible, to facilitate speedy and orderly
liquidation of debtor’s assets and the settlement of
their obligations.
DEBTORS are defined under the law are insolvent:
1. Sole proprietorship registered with the DTI;
2. Partnership registered with the SEC;
3. Corporations organized and existing under the laws
of the Philippines; or
4. Individual debtors which are natural persons who
are residents and citizens of the Philippines
Group of Debtors refer to:
1) Financially related corporations - parent, subsidiary
or affiliates
2) Partnerships - more than 50% of which is owned by
the same person
3) Single Proprietorship - owned by the same
individual
EXCLUDED DEBTORS: Banks, pre-need companies,
insurance companies, and government agencies or units
- governed by their respective special laws.
INSOLVENT shall refer to the financial condition of a
debtor that is
1. Unable to pay its or his liabilities as they fall due; or
2. Has liabilities greater than its or his assets
CREDITORS include natural or juridical persons
which has a claim against the debtor that arose on or
before the commencement date, which can either be
secured or unsecured.
1) Unsecured creditors are those whose claim or
portion thereof is neither secured, preferred nor
subordinated
2) Secured creditors are those whose claims are
secured by a lien (either by law, agreement or by
judicial judgment) which legally entitles a creditor
 to resort the property subject of alien Tor payment
or his claim. Example:
3)