2.

4 Accountability of
Transfer of Information
2.5 Penalties for
Violation
Group 5
Margaret Repolidon
Marian Osorio
Riche Osin
Stephenjon Quiao
Questions;
1. Is there a general Accountability obligation for Data Privacy?
2. What are the 5 pillars of data privacy accountability and compliance?
3. Is a Data Protection Officer (DPA) accountable for it's compliance from the PIC or PIP on the Data
Privacy Act?
4. Does an organization always need your consent about sharing your personal data without
permission?
5. How does the data privacy Act protect individuals from violations?
6. What if the offender is a partnership, corporation, or any juridical person?
7. What are the issues of NPC regarding the Circular on Administrative Fines for data privacy
infractions of the PIC or PIP and explain?
8. What are the administrative violations of a PIC or PIP regarding data privacy?
9. What are the amount of fine if the PIC or PIP shall be subject to an administrative violation of data
privacy?
10. What will happen if a PIC or PIP that refuses to pay the administrative fine regarding the Circular
of data privacy infractions?
Answers;
1. Answer: Yes, the Personal information Controllers and Personal Information Processors must
implement reasonable and appropriate organizational, physical, and technical security measures for the
protection of personal data.

2. Answer: (1) Appoint a data protection officer.

(2) Conduct a privacy impact assessment to identify capabilities, threats, and risks.
(3) Develop a privacy management programme.
(4) Implement data privacy governance to ensure proper execution of security measures.
(5) Prepare data breach protocols.

3. Answer: Yes, a Data Protection Officer shall be accountable for ensuring the compliance by the PIC
or PIP with the Data Privacy Act, its Implementing Rules and Regulations (IRR), issuances by the
National Privacy Commission (NPC), and other applicable laws and regulations relating to privacy and
data protection.
Answers;
4. Answer: No. Organizations don't always need your consent to use your personal data, because
anyone can use it without consent if they have a valid reason.

5. Answer: The right to erasure or blocking:

Under the law, you have the right to suspend, withdraw or order the blocking, removal or destruction of
your personal data.

6. Answer: The law says that the penalty shall be imposed upon the responsible officers, as the case
may be, who participated in, or by their gross negligence, allowed the commission of the crime.

7. Answer: Depending on whether the violation is grave or major, the NPC will impose administrative
fines ranging from 0.5% to 3% and 0.25% to 2%, respectively, of the annual gross income of the PIC or
PIP that committed the infraction. If a PIC or PIP has not been operating for more than one year, the
base for computing administrative fines will be the entity’s total gross income at the time the violation
was committed.
Answers;
8. Answer: (1) failure to register the true identity or contact details of the PIC, the data processing
system, or information on automated decision making; or (2) failure to provide updated information as
to the identity or contact details of the PIC, the data processing system, or information on automated
decision making..

9. Answer: The PIC or PIP shall be subject to an administrative fine of not less than Fifty Thousand
Pesos (Php 50,000.00) but not exceeding Two Hundred Thousand Pesos (Php 200,000.00).

10. Answer: PICs or PIPs that refuse to pay the administrative fine under the circular may be subject to
a Cease and Desist Order, other processes or reliefs as the Commission may be authorized to initiate
pursuant to Section 7 of the Data Privacy Act, and appropriate contempt proceedings under the Rules of
Court.
REPUBLIC ACT NO. 10173
Accountability for Transfer of Personal Information
DATA PRIVACY ACT Section 21
Principle of Accountability
- It is the policy of the State to protect the - The personal information controller is accountable for
fundamental human right of privacy, of complying with the requirements of this Act and shall
communication while ensuring free flow use contractual or other reasonable means to provide a
of information to promote innovation and comparable level of protection while the information
growth. are being processed by a third party.
- The personal information controller shall designate an
individual or individuals who are accountable for the
organization’s compliance with this Act. The identity
of the individual(s) so designated shall be made known
to any data subject upon request.
Accountability for violation of the Act, the
Rules and Other Issuances of the Commission
a. Any natural or juridical person, or other body involved in the processing of
personal data, who fails to comply with Act, the Rules, and other issuances of the
commission, shall be liable for such violation, and shall be subject to its
corresponding sanction, penalty, or fine, without prejudice to any civil or criminal
liability, as may be applicable.
b. In cases where a data subject files a complaint for violation of his or her rights
as data subjects, and for any injury suffered as a result of the processing of his or
her personal data, the Commission may award indemnity on the basis of the
applicable provisions of the New Civil Code.
c. In case of criminal acts and their corresponding personal penalties, the person
who committed the unlawful act or omission shall be recommended for
prosecution by the commission based on substantial evidence.
DATA BREACH NOTIFICATION

a.) The Commission and affected data subjects shall be notified by the personal
information controller within 72 hours upon knowledge of, or when there is
reasonable belief by the personal information controller or personal information
processor that, a personal data breach requiring notification has occurred.

b.) Notification of personal data breach shall be required when sensitive personal
information or any other information that may, under the circumstances, be used
to enable identity fraud are reasonably believed to have been acquired by an
unauthorized person, and the personal information controller or the Commission
believes that such unauthorized acquisition is likely to give rise to a real risk of
serious harm to any affected data subject.
DATA BREACH NOTIFICATION(Cont.)

c.) Depending on the nature of the incident, or if there is delay or failure to notify,
the Commission may investigate the circumstances surrounding the personal data
breach. Investigation may include on-site examination of systems and procedures.
Contents of Notification

The notification shall at least describe the nature of the breach, the personal data
possibly involved, and the measures taken by the entity to address the breach. The
notification shall also include measures taken to reduce the harm or negative
consequences of the breach, the representatives of the personal information
controller, including their contact details, from whom the data subject can obtain
additional information about the breach, and any assistance to be provided to the
affected data subjects.
 Delay of Notification
- Notification may be delayed only to the extent necessary to determine the
scope of the breach. To prevent further disclosures, or to restore reasonable
integrity to the information and communications system.

- In evaluating if notification is unwarranted, the Commission may take into

account compliance by the personal information controller with this section
and existence of good faith in the acquisition of personal data.

- The Commission may exempt a personal information controller from

notification where, in its reasonable judgment, such notification would not be
in the public interest, or in the interest of the affected data subjects.

- The Commission may authorize postponement of notification where it may

hinder the progress of a criminal investigation related to a serious breach.
 Breach Report
- The personal information controller shall notify the Commission by submitting
a report, whether written or electronic, containing the required contents of
notification. The report shall also include the name of a designated
representative of the personal information controller, and his or her contact
details.
- All security incidents and personal data breaches shall be documented through
written reports, including those not covered by the notification requirements.
 Enforcement of the Data Privacy Act
- Pursuant to the mandate of the Commission to administer and implement the
Act, and to ensure the compliance of personal information controllers with its
obligations under the law, the Commission requires the following:
a. Registration of personal data processing systems operating in the country that
involves accessing or requiring sensitive personal information

b. Notification of automated processing operations where the processing becomes

the sole basis of making decisions

c. Annual report of the summary of documented security incidents and personal

data breaches:

d. Compliance with other requirements that may be provided in other issuances of

the Commission.
 Registration of Personal Data Processing
Systems
a. The contents of registration shall include:

1. The name and address of the personal information controller or personal

information processor
2. The purpose or purposes of the processing, and whether processing is being
done under an outsourcing or subcontracting agreement;
3. A description of the category or categories of data subjects, and of the data or
categories of data relating to them;
4. The recipients or categories of recipients to whom the data might be disclosed;
5. Proposed transfers of personal data outside the Philippines;
 Registration of Personal Data Processing
Systems(Cont.)
6. A general description of privacy and security measures for data protection;
7. Brief description of the data processing system;
8. Copy of all policies relating to data governance, data privacy, and information
security;
9. Attestation to all certifications attained that are related to information and
communications processing; and
10. Name and contact details of the compliance or data protection officer, which
shall immediately be updated in case of changes.
b. The procedure for registration shall be in accordance with the rules and other
issuances of the commission.
 Notification of Automated Processing
Operations
a. The notification shall include the following information:
1. Purpose of processing;
2. Categories of personal data to undergo processing;
3. Category or categories of data subject;
4. Consent forms or manner of obtaining consent;
5. The recipients or categories of recipients to whom the data are to be disclosed;
6. The length of time the data are to be stored;
7. Methods and logic utilized for automated processing;
8.Decisions relating to the data subject that would be made on the basis of processed
data;
9. Names and contract details of the compliance or data protection officer.
b. No decision with legal effects concerning a data subject shall be made solely on the
basis of automated processing without the consent of the data subject.
 Violations, Jurisdiction, Penalties, and
Immunity
Any person who performs or cause the performance of the following acts shall be
liable:
- Refusal to accept application or request with complete requirements being
submitted by an applicant or requesting party without due cause;
- Imposition of additional requirements other than those listed in the Citizen’s
Charter;"(c) Imposition of additional costs not reflected in the Citizen’s Charter;
- Failure to give the applicant or requesting party a written notice on the
disapproval of an application or request;
- Failure to render government services within the prescribed processing time on
any application or request without due cause;
 Violations, Jurisdiction, Penalties, and
Immunity(Cont.)
- Failure to attend to applicants or requesting parties who are within the premises
of the office or agency concerned prior to the end of official working hours and
during lunch break.
- Failure or refusal to issue official receipts; and
- Fixing and/or collusion with fixers in consideration of economic and/or other
gain or advantage.
Penalties and Liabilities.
Any violations of the preceding actions will warrant the following penalties and
liabilities.
• Criminal liability - shall also be incurred through the commission of bribery,
extortion, or when the violation was done deliberately and maliciously to solicit
favor in cash or in kind. In such cases, the pertinent provisions of the Revised
Penal Code and other special laws shall apply.
• Civil and Criminal Liability, - Not Barred.-The finding of administrative
liability under this Act shall not be a bar to the filing of criminal, civil or other
related charges under existing laws arising from the same act or omission as
herein enumerated.
• Administrative Jurisdiction. - The administrative jurisdiction on any violation
of the provisions of this Act shall be vested in either the CSC, or the Office of the
Ombudsman as determined by appropriate laws and issuances."
 Immunity, Discharge of
Co-Respondent/Accused to be a Witness.
Any public official or employee or any person having been charged with another
offense under this Act and who voluntarily gives information pertaining to an
investigation or who willingly testifies therefore, shall be exempt from
prosecution in the case/s where his/her information and testimony are given. The
discharge may be granted and directed by the investigating body or court upon the
application or petition of any of the respondent/accused-informant and before the
termination of the investigation:
 Immunity, Discharge of
Co-Respondent/Accused to be a Witness.(Cont.)
Provided, That:
A. There is absolute necessity for the testimony of the respondent/accused-informant whose
discharge is requested;
B. There is no other direct evidence available for the proper prosecution of the offense
committed, except the testimony of said respondent/accused-informant;"
C. The testimony of said respondent can be substantially corroborated in its material points;"
D. The respondent/accused-informant has not been previously convicted of a crime
involving moral turpitude; and"
E. Said respondent/accused-informant does not appear to be the most guilty.
Evidence adduced in support of the discharge shall automatically form part of the records of
the investigation. Should the investigating body or court deny the motion or request for
discharge as a witness, his/her sworn statement shall be inadmissible as evidence.
THANK YOU FOR
READING =)