Professional Documents
Culture Documents
4 Accountability of
Transfer of Information
2.5 Penalties for
Violation
Group 5
Margaret Repolidon
Marian Osorio
Riche Osin
Stephenjon Quiao
Questions;
1. Is there a general Accountability obligation for Data Privacy?
2. What are the 5 pillars of data privacy accountability and compliance?
3. Is a Data Protection Officer (DPA) accountable for it's compliance from the PIC or PIP on the Data
Privacy Act?
4. Does an organization always need your consent about sharing your personal data without
permission?
5. How does the data privacy Act protect individuals from violations?
6. What if the offender is a partnership, corporation, or any juridical person?
7. What are the issues of NPC regarding the Circular on Administrative Fines for data privacy
infractions of the PIC or PIP and explain?
8. What are the administrative violations of a PIC or PIP regarding data privacy?
9. What are the amount of fine if the PIC or PIP shall be subject to an administrative violation of data
privacy?
10. What will happen if a PIC or PIP that refuses to pay the administrative fine regarding the Circular
of data privacy infractions?
Answers;
1. Answer: Yes, the Personal information Controllers and Personal Information Processors must
implement reasonable and appropriate organizational, physical, and technical security measures for the
protection of personal data.
3. Answer: Yes, a Data Protection Officer shall be accountable for ensuring the compliance by the PIC
or PIP with the Data Privacy Act, its Implementing Rules and Regulations (IRR), issuances by the
National Privacy Commission (NPC), and other applicable laws and regulations relating to privacy and
data protection.
Answers;
4. Answer: No. Organizations don't always need your consent to use your personal data, because
anyone can use it without consent if they have a valid reason.
6. Answer: The law says that the penalty shall be imposed upon the responsible officers, as the case
may be, who participated in, or by their gross negligence, allowed the commission of the crime.
7. Answer: Depending on whether the violation is grave or major, the NPC will impose administrative
fines ranging from 0.5% to 3% and 0.25% to 2%, respectively, of the annual gross income of the PIC or
PIP that committed the infraction. If a PIC or PIP has not been operating for more than one year, the
base for computing administrative fines will be the entity’s total gross income at the time the violation
was committed.
Answers;
8. Answer: (1) failure to register the true identity or contact details of the PIC, the data processing
system, or information on automated decision making; or (2) failure to provide updated information as
to the identity or contact details of the PIC, the data processing system, or information on automated
decision making..
9. Answer: The PIC or PIP shall be subject to an administrative fine of not less than Fifty Thousand
Pesos (Php 50,000.00) but not exceeding Two Hundred Thousand Pesos (Php 200,000.00).
10. Answer: PICs or PIPs that refuse to pay the administrative fine under the circular may be subject to
a Cease and Desist Order, other processes or reliefs as the Commission may be authorized to initiate
pursuant to Section 7 of the Data Privacy Act, and appropriate contempt proceedings under the Rules of
Court.
REPUBLIC ACT NO. 10173
Accountability for Transfer of Personal Information
DATA PRIVACY ACT Section 21
Principle of Accountability
- It is the policy of the State to protect the - The personal information controller is accountable for
fundamental human right of privacy, of complying with the requirements of this Act and shall
communication while ensuring free flow use contractual or other reasonable means to provide a
of information to promote innovation and comparable level of protection while the information
growth. are being processed by a third party.
- The personal information controller shall designate an
individual or individuals who are accountable for the
organization’s compliance with this Act. The identity
of the individual(s) so designated shall be made known
to any data subject upon request.
Accountability for violation of the Act, the
Rules and Other Issuances of the Commission
a. Any natural or juridical person, or other body involved in the processing of
personal data, who fails to comply with Act, the Rules, and other issuances of the
commission, shall be liable for such violation, and shall be subject to its
corresponding sanction, penalty, or fine, without prejudice to any civil or criminal
liability, as may be applicable.
b. In cases where a data subject files a complaint for violation of his or her rights
as data subjects, and for any injury suffered as a result of the processing of his or
her personal data, the Commission may award indemnity on the basis of the
applicable provisions of the New Civil Code.
c. In case of criminal acts and their corresponding personal penalties, the person
who committed the unlawful act or omission shall be recommended for
prosecution by the commission based on substantial evidence.
DATA BREACH NOTIFICATION
a.) The Commission and affected data subjects shall be notified by the personal
information controller within 72 hours upon knowledge of, or when there is
reasonable belief by the personal information controller or personal information
processor that, a personal data breach requiring notification has occurred.
b.) Notification of personal data breach shall be required when sensitive personal
information or any other information that may, under the circumstances, be used
to enable identity fraud are reasonably believed to have been acquired by an
unauthorized person, and the personal information controller or the Commission
believes that such unauthorized acquisition is likely to give rise to a real risk of
serious harm to any affected data subject.
DATA BREACH NOTIFICATION(Cont.)
c.) Depending on the nature of the incident, or if there is delay or failure to notify,
the Commission may investigate the circumstances surrounding the personal data
breach. Investigation may include on-site examination of systems and procedures.
Contents of Notification
The notification shall at least describe the nature of the breach, the personal data
possibly involved, and the measures taken by the entity to address the breach. The
notification shall also include measures taken to reduce the harm or negative
consequences of the breach, the representatives of the personal information
controller, including their contact details, from whom the data subject can obtain
additional information about the breach, and any assistance to be provided to the
affected data subjects.
Delay of Notification
- Notification may be delayed only to the extent necessary to determine the
scope of the breach. To prevent further disclosures, or to restore reasonable
integrity to the information and communications system.