BACTEL4X : ELECTIVE 4 ascertained by the entity holding the

information, or when put together with

Topics for final period: other information would directly and
certainly identify an individual.
o Data Privacy Act
o Phil. Deposit Insurance Corp
Act
Data Subject
o Anti-Money Laundering Act
o Secrecy of Bank Deposits An individual whose personal, sensitive
personal, or privileged information is
T1: Data Privacy Act
processed.
State Policy – To protect the fundamental Sensitive Information
human right of privacy, of
communication while ensuring free flow
of information to promote innovation and Refers to personal information.
growth. The states also recognize the vital Privileged Information
role of information and communications
technology in nation-building and enforce
the State’s inherent obligation to ensure Refers to any government entity created
that personal data in information and by the constitution or law and vested with
communications system in the law enforcement or regulatory authority
government and in the private sector are and functions.
secured and protected. Processing
DEFINITIONS
Areas of Privacy Refers to any operation or any set of
operations performed upon personal
Information data including, but not limited to, the
collection, recording, organization,
storage, updating or modification,
Communication
retrieval, consultation, use, consolidation,
blocking, erasure, or destruction of data.
Bodily
May performed through automated
means, or manual processing, if the
Territorial personal data are contained or are
intended to be contained in a filing
Personal Information system.
Natural or juridical persons, or
Any information, whether recorded in a any body who controls the
material form or not, from which the processing of personal data, or
Information

identity of an individual is apparent or

Controller

instructs another to process

Personal

can be reasonably and directly personal data on its behalf.

 Exc: N or J who performs such  The act, practice or processing of
functions instructed by another personal data is done or engaged
person or org.; or a N who in by an entity with links to the
processes personal data in Philippines, with due
connection with his./her consideration to international law
personal, family or household and comity, such as, but not
affairs. limited to the following:
 Use of equipment located
Personal Information Processor
in the country, or
maintains an office,
Refers to any natural or juridical person branch, or agency in the
or any other body to whom a personal PH;
information controller may outsource or  A contract is entered in
instruct the processing of personal data the Philippines;
pertaining to a data subject.  A juridical entity
unincorporated in the
Personal Data Breach
Philippines but has
central management and
Refers to a breach of security leading to control in the country;
the accidental or unlawful destruction,  An entity that has a
loss, alteration, unauthorized disclosure branch, agency, office, or
of, or access to, personal data transmitted, subsidiary in the
stored, or otherwise processed. Philippines and the
[For more terms check parent or affiliate of the
RA 10173] Philippine entity has
access to personal data;
SCOPE OF APPLICATION  An entity that carries on
Applies to the processing of personal business in the
data by any natural and juridical Philippines;
person in the government or private  An entity that collects or
sector. holds personal data in the
Philippines.
Also applies to an act done in and outside
of the Philippines if:
 The natural or juridical person Special Cases – [See RA No. 10173,
involved in the processing of Section 5]
personal data is found or
established in the Philippines;
 The act, practice, or processing
Extraterrit
relates to personal data about a
orial
Philippine citizen or Philippine
Applicatio DATA PRIVACY PRINCIPLES
resident;
 The processing of personal data Transparency
is being done in the Philippines;
or
Data subject must be aware of the:  Sensitive Personal and Privileged
information
Nature Purpose Extent
Except in cases provided by
law
His or her
Risk and Safeguards involved right as a data
subject

Identity of personal information

controller

How can these rights be exercised

Legitimate Purpose

The processing of information shall be

compatible with a declared and specified
purpose which must not be contrary to
law, morals, or public policy.
Proportionally

The processing of information shall be

adequate, relevant, suitable, necessary,
and not excessive in relation to a declared
and specified purpose.
General
Principles in Collection, Processing,
and Retention
1 2 3 4 5
Collectio Personal Processin Personal Any
n must be data shall g should data shall authorize
for a be ensure not be d further
declared, processed data retained processin
specified, fairly and quality longer g shall
and lawfully than have
legitimate necessary adequate
purpose. safeguard
s

General Principles for Data

Sharing
PROCESSING OF PERSONAL
DATA
 Personal Information

Unless prohibited by law

Conditions for Lawful Processing of  The sensitive personal
Personal Information information is not
transferred to third
 The data subject must have given parties; and
his or her consent prior to the  Consent of the data
collection, or as soon as subject was obtained
practicable and reasonable. prior to processing.
 The processing involves the  For the purpose of medical
personal information of a data treatment.
subject who is a party to a  The processing concerns
contractual agreement, in order to sensitive personal information or
fulfill obligations under the privileged information necessary
contract or to take steps at the for the protection of lawful
request of the data subject prior rights and interests of natural
to entering the said agreement; or legal person in court
 The processing is necessary for proceedings, or the
compliance with a legal establishment, exercise, or
obligation to which the PIC is defense of legal claims, or when
subject. provided to government or public
authority pursuant to a
Cases where Sensitive Personal constitutional or statutory
Information and Privilege mandate.
Information may be Processed.
SECURITY MEASURES FOR
 Consent is given by data subject THE PROTECTION OF
prior to the processing of
PERSONAL DATA
information;
 The processing is provided for Personal Data Breach
by existing laws and Refers to a breach of
regulations. > does not required security leading to the accidental or
consent; unlawful destruction, loss, alteration,
 The processing is necessary to unauthorized disclosure of, or access to,
protect the life and health of the personal data transmitted, stored, or
data subject or another person. otherwise processed.
 The processing is necessary to Types of Personal Data Breach
achieve the lawful and
noncommercial objectives of AVAILABILITY BREACH
public organizations and their Resulting from loss, accidental or unlawful
associations, provided that: destruction of personal data.
 Processing is confined INTEGRITY BREACH
and related to the bona Resulting from alteration of personal data
fide members of these
organizations or their CONFIDENTIALITY BREACH
associations; Resulting from the unauthorized disclosure
of or access to personal data.
 Types of Personal Data Breach

Organizational Physical
Security Security
Measures Measures

Technical
Security
Measure
Persons liable
and Security
Data Privacy

Personal Information
for

Controllers
Personal Information Processors

RIGHTS OF DATA SUBJECT

Right to Right to Right to Right to

be Access object erasure
Informe or
d blocking

Right to Right to Right to Right to

damages file a rectify data
complai portabili
nt ty