The Data Privacy Act of 2012 is a law in the Philippines that aims to protect the

personal information of individuals in both the public and private sectors. Below is a
summary of its key provisions

Scope: The law applies to the processing of personal information in both government
and private sectors.
Definition of personal information: The law defines personal information as any
information that can identify an individual, such as name, address, email, phone
number, ID number, and biometric information.
Consent: The law requires organizations to obtain the consent of the individual before
collecting, processing, or disclosing their personal information.
Rights of the data subject: The law grants individuals the right to be informed,
access their personal information, object to processing, and have their data corrected
or deleted.
Security measures: Organizations are required to implement reasonable and
appropriate security measures to protect personal information against unauthorized
access, use, or disclosure.
Breach notification: Organizations are required to notify the National Privacy
Commission and affected individuals in case of a data breach that may pose a risk to
their rights and freedoms.
Data protection officer: Organizations are required to appoint a data protection
officer to oversee compliance with the law.
Penalties: Violations of the law may result in fines, imprisonment, or both, depending
on the severity of the offense.

Item number 3: Consent

The Data Privacy Act of 2012 requires organizations to obtain the consent of the
individual before collecting, processing, or disclosing their personal information. The
consent must be specific, informed, and freely given by the individual. This means that
organizations must inform individuals of the purpose for which their personal
information will be collected, processed, or disclosed and obtain their explicit consent
before proceeding.
Organizations must also ensure that the individual is aware of their right to withhold
or withdraw their consent at any time. If an individual withdraws their consent, the
organization must immediately cease processing their personal information, unless
there is a legal basis for continued processing.
Item number 4: Rights of the data subject
The Data Privacy Act of 2012 grants individuals several rights concerning the
processing of their personal information:
a. Right to be informed: Individuals have the right to be informed about the collection,
processing, and disclosure of their personal information.
b. Right to access: Individuals have the right to access their personal information that
is being processed by an organization.
c. Right to object: Individuals have the right to object to the processing of their
personal information if they believe that it is being processed unlawfully or without a
legitimate purpose.
d. Right to rectification: Individuals have the right to have their personal information
corrected if it is inaccurate or incomplete.
e. Right to erasure or blocking: Individuals have the right to have their personal
information erased or blocked if it is being processed unlawfully or if it is no longer
necessary for the purpose for which it was collected.
f. Right to damages: Individuals have the right to claim damages if they suffer any
damage due to the processing of their personal information in violation of the law.
In summary, organizations must obtain explicit and informed consent from individuals
before collecting, processing, or disclosing their personal information, and individuals
have several rights to control and protect their personal information under the Data
Privacy Act of 2012.