THE DATA PRIVACY ACT

Republic Act No. 10173 and its Implementing Rules and

Regulations
“The right to be let alone is . . . the beginning of all freedom.“* It is
"the most comprehensive of rights and the right most valued by
civilized men.“**
(Morfe v. Mutuc, G.R. No. L-20387, January 31, 1968)

*Quoting the dissent of Justice Douglas in Public Utilities Commission v. Pollak, 343 U.S. 451, 467 (1952).
**Quoting the dissent of Justice Brandeis in Olmstead v. United States, 277 U.S. 438, 478 (1928).
 THE RIGHT TO PRIVACY

• "the right to be free from unwarranted exploitation of one's person or from

intrusion into one's private activities in such a way as to cause humiliation
to a person's ordinary sensibilities.”
• "to be free from unwarranted publicity, or to live without unwarranted
interference by the public in matters in which the public is not necessarily
concerned."
• "the right to be let alone.“
(Spouses Hing v. Choachuy, Sr., G.R. No. 179736, June 26, 2013)
Indeed, if we extend our judicial gaze we will find that
the right of privacy is recognized and enshrined in several provisions of
our Constitution.
(Ople v. Torres, G.R. No. 127685, July 23, 1998)
 THE BILL OF RIGHTS

The privacy of communication and correspondence shall be inviolable except upon

lawful order of the court, or when public safety or order requires otherwise as
prescribed by law.
(Sec. 3[1])
 THE BILL OF RIGHTS

No person shall be deprived of life, liberty, or property

without due process of law, nor shall any person be denied
the equal protection of the laws.
(Sec. 1)
 THE BILL OF RIGHTS

The right of the people to be secure in their persons, houses, papers, and
effects against unreasonable searches and seizures of whatever nature and
for any purpose shall be inviolable, and no search warrant or warrant of
arrest shall issue except upon probable cause to be determined personally
by the judge after examination under oath or affirmation of the
complainant and the witnesses he may produce, and particularly describing
the place to be searched and the persons or things to be seized.
(Sec. 2)
 THE BILL OF RIGHTS

The liberty of abode and of changing the same within the

limits prescribed by law shall not be impaired except upon
lawful order of the court. Neither shall the right to travel be
impaired except in the interest of national security, public
safety, or public health as may be provided by law.
(Sec. 6)
 THE BILL OF RIGHTS

The right of the people, including those employed in the public and
private sectors, to form unions, associations, or societies for purposes
not contrary to law shall not be abridged.
(Sec. 8)
 THE BILL OF RIGHTS

No person shall be compelled to be a witness against himself.

(Sec. 17)
 REASONABLE EXPECTATION OF PRIVACY

Two-part test:
(1) whether, by his conduct, the individual has exhibited an expectation
of privacy (subjective); and
(2) this expectation is one that society recognizes as reasonable
(objective).
(Ople v. Torres, G.R. No. 127685, July 23, 1998)

- Citing Rakas v. Illinois,439 U.S. 128 (1978)

 REASONABLE EXPECTATION OF PRIVACY

Customs, community norms, and practices may, therefore, limit or extend

an individual's "reasonable expectation of privacy." Hence, the
reasonableness of a person's expectation of privacy must be determined
on a case-to-case basis since it depends on the factual circumstances
surrounding the case.
(Spouses Hing v. Choachuy, Sr., G.R. No. 179736, June 26, 2013)
 IS THERE REASONABLE EXPECTATION OF
PRIVACY IN CYBERSPACE?

[H]aving an expectation of informational privacy is not necessarily

incompatible with engaging in cyberspace activities, including those
that occur in [Online Social Networks].
(Vivares v. St. Theresa's College, G.R. No. 202666, September 29, 2014)
 PRIVACY IN OSN

Before one can have an expectation of privacy in his or her OSN activity, it is first
necessary that said user. . . manifest the intention to keep certain posts private, through
the employment of measures to prevent access thereto or to limit its visibility. And this
intention can materialize in cyberspace through the utilization of the OSN's privacy tools.
In other words, utilization of these privacy tools is the manifestation, in cyber world, of the
user's invocation of his or her right to informational privacy.
(Vivares v. St. Theresa's College, G.R. No. 202666, September 29, 2014)
 PRIVACY TOOLS IN OSN

It is through the availability of . . . privacy tools that many OSN users

are said to have a subjective expectation that only those to whom they
grant access to their profile will view the information they post or
upload thereto.
(Vivares v. St. Theresa's College, G.R. No. 202666, September 29, 2014)
 “FRIENDS” SETTING ON FB

[S]etting a post's or profile detail's privacy to "friends" does not guarantee

that the content will not be accessible to another user who is not Facebook
friends with the source thereof.
(Office of the Court Administrator v. Atillo, Jr., A.M. No. RTJ-21-018, [September 29, 2021])
 IN OTHER WORDS . . .

The intention to limit access to [a] particular post, instead of being broadcasted to the
public at large or all the user's friends en masse, [is] more manifest and palpable [by
the use of] the "Me Only" privacy setting, or the "Custom" setting [of Facebook or
Meta.]
(a restatement of Vivares v. St. Theresa's College, G.R. No. 202666, September 29, 2014)
 THE RIGHT TO PRIVACY

• As for the exclusionary rule, the Bill of Rights was intended to protect
private individuals against government intrusions.
• Violation of the right to privacy between individuals is properly governed
by the provisions of the Civil Code, the Data Privacy Act, and other
pertinent laws. Admissibility shall be governed by the rules on relevance,
materiality, authentication of documents, and the exclusionary rules under
the Rules on Evidence.
(Cadajas y Cabias v. People, G.R. No. 247348, November 16, 2021)
 CIVIL CODE PROVISIONS ON PRIVACY

Every person shall respect the dignity, personality, privacy and

peace of mind of his neighbors and other persons. The following and
similar acts, though they may not constitute a criminal offense, shall
produce a cause of action for damages, prevention and other relief:

(1) Prying into the privacy of another's residence;

(2) Meddling with or disturbing the private life or family relations of
another;

...
(Art. 26, NCC)
 CIVIL CODE PROVISIONS ON PRIVACY
Any public officer or
employee, or any private
individual, who directly or
indirectly obstructs, defeats,
violates or in any manner
impedes or impairs any of the
following rights and liberties
(among others) of another
person shall be liable to the
latter for damages:
• The right against deprivation of
property without due process of law;
• The right to be secure in one's
person, house, papers, and effects
against unreasonable searches and
seizures;
• The privacy of communication and
correspondence;
• Freedom from being compelled to
be a witness against one's self;
(Art. 32, NCC)
 OTHER PERTINENT LAWS ON PRIVACY

• Cybercrime Prevention Act • The Anti-Wiretapping Act

• Anti-Photo Voyeurism Act • The Revised Penal Code

• Anti-Child Pornography Act • Others (Rule on the Writ of Habeas

Data)
• Access Devices Regulation Act
• Electronic Commerce Act
• DICT Law
• Bank Secrecy Law
• Foreign Currency Deposit Act
 THREE STRANDS OF THE RIGHT TO PRIVACY

• Locational or situational privacy

• Informational privacy
• Decisional privacy

(Vivares v. St. Theresa's College, G.R. No. 202666, [September 29, 2014])
Locational privacy, also known as situational privacy, pertains to privacy
that is felt in a physical space. It may be violated through an act of trespass
or through an unlawful search.
(Separate opinion of Justice Leonen* in Versoza v. People, G.R. No. 184535, September 3, 2019)

* Quoting Former Chief Justice Puno in his speech “The Common Right to Privacy.”
Decisional privacy involves the right to independence in making certain important
decisions, while informational privacy refers to the interest in avoiding disclosure of
personal matters.
(Disini, Jr. v. Secretary of Justice, G.R. Nos. 203335, etc., February 18, 2014)

- Citing Whalen v. Roe, 429 U.S. 589 (1977)

Decisional privacy, regarded as the most controversial among the three, refers
to one's right "to make certain kinds of fundamental choices with respect to
their personal and reproductive autonomy." It finds relevance in matters that
involve one's reproductive health.
(Versoza v. People, G.R. No. 184535 (Resolution), [September 3, 2019])

- See also Vivares v. St. Theresa’s College, G.R. No. 202666, September 29, 2014; both cases cite Justice Puno’s speech, “The
Common Right to Privacy.”
THE DPA PROTECTS INFORMATIONAL PRIVACY

Informational privacy is the right to control information about oneself.

(Vivares v. St. Theresa's College, G.R. No. 202666, [September 29, 2014])
INFORMATIONAL PRIVACY HAS THE FOLLOWING
ASPECTS:

(1) to keep inalienable information to themselves;

(2) to prevent first disclosure;
(3) to prevent further dissemination in case the information has already been
disclosed.
(4) the right to be forgotten, or the right to prevent the storage of data.

(Cadajas v. People, G.R. No. 247348, [November 16, 2021])

 WHAT IS THE DATA PRIVACY ACT?

AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND

COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR,
CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR
OTHER PURPOSES
 THE DATA PRIVACY ACT

Republic Act No. 10173 was signed into law

on August 15, 2012.
 INTERNATIONAL DATA SECURITY STANDARDS

The . . . Data Privacy Act was based heavily [on] Directive 95/46/EC* of the
European Parliament and Council and is at par with the Asia Pacific Economic
Cooperation (APEC) Information Privacy Framework** standards.
(Senate of the Philippines, 19th Congress, Press Release, March 20, 2012)

• * has since been repealed by Regulation 2016/679.

• ** then version 2005. Now updated 2015.
 THE POLICY OF THE LAW

It is the policy of the State to protect the fundamental human right of

privacy of communication while ensuring free flow of information to
promote innovation and growth. The State recognizes the vital role of
information and communications technology in nation-building and its
inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are
secured and protected.
(Sec. 2, DPA)
 INTERPRETATION

Any doubt in the interpretation of any provision of this Act shall

be liberally interpreted in a manner mindful of the rights and
interests of the individual about whom personal information is
processed.
(Sec. 38, DPA)
The law has the twin task of protecting the right to privacy while ensuring
the free flow of information. This means recognizing the fundamental right
of individuals to the protection of the privacy of their personal data, and at
the same time, recognizing interests of the government and the private
sector in the processing of personal data which is vital in the
implementation of constitutional and statutory mandates and in lawful
business operations, respectively.
(NPC, Advisory Opinion, No. 2022-0241)
The DPA indeed concerns itself with the free flow of data but limited to the
specific context of personal data processing . . ..
(NPC, Advisory Opinion, No. 2022-0241)
 SCOPE

The law applies to the processing of all types of

personal information and to any natural and juridical
person involved in personal information processing,
in the government or private sector.
(Sec. 4, DPA; Sec. 4, IRR)
The Law regulates, through the National Privacy Commission, the
processing of personal data, which includes all types of personal
information.
 PROCESSING OF PERSONAL DATA

"Processing" refers to any operation or any set of operations performed

upon personal data including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data. Processing may be
performed through automated means, or manual processing, if the personal
data are contained or are intended to be contained in a filing system.
(IRR, DPA, Sec. 3[o])
 EXTRATERRITORIAL SCOPE
The law applies to an act done or practice engaged in and outside of the Philippines if:
a. The natural or juridical person involved in the processing of personal data is found
or established in the Philippines;
b. The act, practice or processing relates to personal data about a Philippine citizen
or Philippine resident;
c. The processing of personal data is being done in the Philippines; or

d. The act, practice or processing of personal data is done or engaged in by an entity

with links to the Philippines, with due consideration to international law and comity.
(Sec. 4, IRR)
EXAMPLES OF AN ENTITY WITH LINKS TO THE
PHILIPPINES
1. Use of equipment located in the country, or maintains an office, branch or agency in
the Philippines for processing of personal data;
2. A contract is entered in the Philippines;
3. A juridical entity unincorporated in the Philippines but has central management and
control in the country;
4. An entity that has a branch, agency, office or subsidiary in the Philippines and the
parent or affiliate of the Philippine entity has access to personal data;
5. An entity that carries on business in the Philippines;
6. An entity that collects or holds personal data in the Philippines.
(Sec. 4[d], IRR)
 EXEMPTIONS
The DPA does not apply to information processed in the following cases:
1. Matters of public concern (i.e., government employee, government contractor, license
grantee)
2. Journalistic, artistic, or literary purpose
3. Research purposes intended for public benefit
4. For performance of law enforcement or regulatory functions of public authority
5. For compliance by banks and other financial institutions with the CISA, AMLA, or other
laws applicable to them
6. Residents of foreign jurisdictions with applicable data privacy law
(Sec. 4, DPA; Sec. 5, IRR)
 BUT . . .

• the non-applicability of the Act or these Rules do not extend to personal

information controllers or personal information processors, who remain
subject to the requirements of implementing security measures for
personal data protection;
• the processing of the information provided in the preceding paragraphs
shall be exempted from the requirements of the Act only to the minimum
extent necessary to achieve the specific purpose, function, or activity.
(Sec. 5, IRR)
PRIVACY.GOV.PH QUICK GUIDE
THE DATA SUBJECT
 THE DATA SUBJECT

“Data subject” refers to an individual whose personal information is

processed.
(Sec. 3[c], DPA)
 WHAT IS PERSONAL INFORMATION?

“Personal information” refers to any information whether recorded in a

material form or not, from which the identity of an individual is apparent or
can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and
certainly identify an individual.
(Sec. 3[g], DPA)
 PERSONAL INFORMATION

The usual identifying information regarding a person includes his name, his
citizenship, his residence address, his contact number, his place and date of birth, the
name of his spouse if any, his occupation, and similar data.

(Disini, Jr. v. Secretary of Justice, G.R. Nos. 203335, etc., February 18, 2014)
 WHAT IS PRIVILEGED INFORMATION?

"Privileged information" refers to any and all forms of data,

which, under the Rules of Court and other pertinent laws
constitute privileged communication.
(Sec. 3 [g], DPA)
WHAT IS SENSITIVE PERSONAL INFORMATION?

Ethnic Marital
Race Age Color
origin status

Religious Philosophical Political

Affiliations Inclinations affiliations Health Education

Proceeding for any Information to be

Information issued
Genetic or offense committed kept classified as
by government
or alleged to have established by an
Sexual life agencies peculiar to
been committed by executive order or
an individual
an individual an act of Congress
 RIGHTS OF THE DATA SUBJECT

a. Right to be informed
b. Right to object
c. Right to access
d. Right to rectification
e. Right to erasure or blocking
f. Right to Data Portability
g. Right to damages
h. Right to lodge a complaint before the commission
 RIGHT TO DATA PORTABILITY

Where his or her personal data is processed by electronic means and in a

structured and commonly used format, the data subject shall have the right
to obtain from the personal information controller a copy of such data in an
electronic or structured format that is commonly used and allows for further
use by the data subject. The exercise of this right shall primarily take into
account the right of data subject to have control over his or her personal
data being processed based on consent or contract, for commercial
purpose, or through automated means.
(Sec. 36, IRR)
 TRANSMISSIBILITY OF RIGHTS

The lawful heirs and assigns of the data subject may invoke the
rights of the data subject to which he or she is an heir or an
assignee, at any time after the death of the data subject, or
when the data subject is incapacitated or incapable of exercising
the rights as enumerated in the immediately preceding section.
(Sec. 35, IRR)
 LIMITATIONS OF RIGHTS

The rights of a data subject shall not be applicable to personal data

gathered:

• for the needs of scientific and statistical research and, on the basis of
such, no activities are carried out and no decisions are taken regarding
the data subject;
• for the purpose of investigations in relation to any criminal, administrative
or tax liabilities of a data subject.
(Sec. 19, DPA)

Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or
investigation. (Sec. 37, IRR)
 PROTECTION AFFORDED TO JOURNALISTS
AND THEIR SOURCES
• “Journalists” shall not be compelled to reveal their source if the information was related
in any confidence to such journalist.
• “Journalists” who are likewise personal information controllers or personal information
processors within the meaning of the law are still bound to follow the Data Privacy Act
and related issuances with regard to the processing of personal data, upholding rights of
their data subjects and maintaining compliance with other provisions that are not
incompatible with the protection provided by Republic Act No. 53.
(Sec. 7, IRR)
• The DPA did not repeal or amend Republic Act No. 53. (Sec. 5, DPA)
 RECALL THAT THE LAW . . .

. . . applies to . . . any natural and juridical person

involved in personal information processing . . . . .
(Sec. 4, DPA; Sec. 4, IRR)

. . . which brings us to . . .
THE PERSONAL INFORMATION CONTROLLER
 "Personal information controller" refers to a natural
or juridical person, or any other body who controls the
processing of personal data, or instructs another to
process personal data on its behalf. The term excludes:

WHO IS A • A natural or juridical person, or any other body,

PERSONAL who performs such functions as instructed by
another person or organization; or
INFORMATION • A natural person who processes personal data in
CONTROLLER? connection with his or her personal, family, or
household affairs;

There is control if the natural or juridical person or any

other body decides on what information is collected, or
the purpose or extent of its processing.

(Sec. 3 [m])
A person who sets up CCTV for household purposes is not a PIC but if the
CCTV faces outward and captures images of individuals beyond the
boundaries of such property as where it monitors a public space, the
operator is deemed a PIC and subject to the obligations under the DPA.
(NPC Advisory 20-04)
The use of closed-circuit television (CCTV) is expressly allowed under the
Safe Space Act but subject to regulations implementing
the Data Privacy Act. Moreover, the use of CCTV by a private individual
on private property is subject to Art. 26 (1) of the Civil Code.
(Calleja v. Executive Secretary, G.R. Nos. 252578, etc., December 7, 2021)
PICs and PIPs shall provide CCTV notices which are readily visible and
prominent within their premises, such as at points of entry, or other
conspicuous areas. The CCTV notices shall provide information to the
public that there is a CCTV system in operation in clear, plain, and concise
language.
(Sec. 4[C], NPC Advisory 2020-04)
 PRINCIPLE OF ACCOUNTABILITY

Each personal information controller is responsible for personal

information under its control or custody, including information that has
been transferred to a third party for processing, whether domestically
or internationally, subject to cross-border arrangement and
cooperation.
(Sec. 21, DPA)
 BEING ACCOUNTABLE, THE DATA
CONTROLLER SHALL . . .

• Provide, by contractual or other means, a comparable level of

protection while the information is being processed by a third party;

• Designate an individual or individuals who are accountable for the

organization's compliance with this Act (the Data Protection Officer)
(Sec. 21, DPA)
 PRINCIPLE OF ACCOUNTABILITY

A personal information controller may subcontract the processing of personal

information: Provided, That the personal information controller shall be responsible
for ensuring that proper safeguards are in place to ensure the confidentiality of the
personal information processed, prevent its use for unauthorized purposes, and
generally, comply with the requirements of this Act and other laws for processing of
personal information. The personal information processor shall comply with all the
requirements of this Act and other applicable laws.
(Sec. 14, DPA)
The PIC cannot surrender its accountability and responsibility to prevent any unauthorized
processing under the DPA to the Personal Information Processor (PIP). . . . (R)espondent
cannot be absolved of its violations of the DPA on the argument that the processing for
purposes of collections was subcontracted. (R)espondent cannot escape the fact that it
was in the position to control and exercise discretion over what personal information it
processed and the extent of its processing
(In Re: FLI Operating ABC Online Lending Application, NPC 19-910, 17 December 2020)
THE PERSONAL INFORMATION PROCESSOR
 WHO IS A PERSONAL INFORMATION
PROCESSOR?

"Personal information processor" refers to any natural or juridical person or any

other body to whom a personal information controller may outsource or instruct
the processing of personal data pertaining to a data subject;
(Sec. 3 [m])
 PROCESSING SHOULD COMPLY WITH THE
FOLLOWING . . .

• Criteria for lawful processing

• General data privacy principles for processing (i.e, transparency, legitimate

purpose, proportionality)
• General principles of collection, processing, and retention
 CRITERIA FOR LAWFUL PROCESSING OF
PERSONAL INFORMATION

Consent of the Data Subject

To fulfill a contract or enter into one

Protect vital interests, including Life and Health of Data Subject

Pursuant to a Legal Obligation of the PIC

National emergency/Public Order and Safety, as prescribed by law

To fulfill functions of public authority which necessarily includes processing of personal data

Legitimate interests of the PIC or third parties, except if against Constitutional rights

(Sec. 12, DPA)

 CRITERIA FOR LAWFUL PROCESSING OF
SENSITIVE/PRIVILEGED PERSONAL INFORMATION

Protect Life and Health of

Consent of the Data Provided by existing laws DS or another person
Subject and regulations where DS cannot give
consent

Lawful rights and interests

Lawful and non- Medical Treatment done in court proceedings/
commercial objectives of by a medical practitioner, defense of legal
organizations/associations with adequate safeguards claims/given to public
authority

(Sec. 13, DPA)

“Consent of the Data Subject” refers to any freely given, specific,
informed indication of will, whereby the data subject agrees to the
collection and processing of his or her personal, sensitive personal, or
privileged information. Consent shall be evidenced by written,
electronic or recorded means. It may also be given on behalf of a data
subject by a lawful representative or an agent specifically authorized by
the data subject to do so.
(Sec. 3[b], DPA; Sec. 3[c], IRR)
These circumstances, taken together, evince the undue pressure, if not
outright intimidation and harassment, that Pieceland, et al. deliberately
applied to MNLCI members. Indubitably, “consent” given in the wake of the
foregoing incidents cannot satisfy the requirement of free and intelligent
consent required under the Data Privacy Act.
(Pieceland Corporation v. Manila New Life Church Inc., Court of Appeals,
CA-G.R. SP No. 168952, December 14, 2021 [NPC Case No. 19-528])
Sec. 13 (f) may refer to legal claims of persons other than those who
processed the personal information, in this case, the act of Respondent in
issuing the Affidavit to support a legal claim of the third person who filed the
Administrative Complaint before the DepEd against the Complainant.
(JDB v. JME, NPC 21-032, 16 May 2022)
 GENERAL DATA PRIVACY PRINCIPLES ON
PROCESSING OF PERSONAL INFO

The processing of personal information shall be allowed, subject to

compliance with the requirements of this Act and other laws allowing
disclosure of information to the public and adherence to the principles of
transparency, legitimate purpose and proportionality.
(Sec. 11)
 PRINCIPLE OF TRANSPARENCY

The data subject must be aware of the nature, purpose, and extent
of the processing of his or her personal data, including the risks and
safeguards involved, the identity of personal information controller,
his or her rights as a data subject, and how these can be exercised.
Any information and communication relating to the processing of
personal data should be easy to access and understand, using clear
and plain language.
(Sec. 19 [a], IRR)
 PRINCIPLE OF LEGITIMATE PURPOSE

The processing of information shall be compatible with a declared

and specified purpose which must not be contrary to law, morals,
or public policy.
(Sec. 18 [b]. IRR)
 PRINCIPLE OF PROPORTIONALITY

The processing of information shall be adequate, relevant, suitable,

necessary, and not excessive in relation to a declared and specified
purpose. Personal data shall be processed only if the purpose of the
processing could not reasonably be fulfilled by other means.
(Sec. 18 [c])
 a. Collection must be for a declared,
specified, and legitimate purpose;
b. Personal data shall be processed fairly
GENERAL PRINCIPLES and lawfully;
IN COLLECTION, c. Processing should ensure data quality;
PROCESSING AND d. Personal Data shall not be retained
RETENTION longer than necessary; and
e. Any authorized further processing shall
have adequate safeguards.

(Sec. 11, DPA; Sec. 19, IRR)

 WHAT ABOUT DATA SHARING?

“Data sharing” is the disclosure or transfer to a third party of personal

data under the custody of a personal information controller or
personal information processor. In the case of the latter, such
disclosure or transfer must have been upon the instructions of the
personal information controller concerned. The term excludes
outsourcing, or the disclosure or transfer of personal data by a
personal information controller to a personal information processor.
(Sec. 3[f], IRR)
 PRINCIPLES OF DATA SHARING
• Data sharing shall be allowed when it is expressly authorized by law, Provided, there
are adequate safeguards;
• Data Sharing shall be allowed in the private sector if the data subject consents to data
sharing;
• Data sharing for purpose of research shall be allowed when the personal data is
publicly available, or has the consent of the data subject for purpose of
research, Provided, adequate safeguards are in place, and no decision directly affecting
the data subject shall be made on the basis of the data collected or processed.
• Data sharing between government agencies for the purpose of a public function or
provision of a public service shall be covered by a data sharing agreement.
(Sec. 21, IRR)
 IN RELATION TO DATA SHARING . . .

The Bill of Rights guarantees the right of the people to information on

matters of public concern, subject to limitations provided by law:

SECTION 7. The right of the people to information on matters of public concern shall be
recognized. Access to official records, and to documents, and papers pertaining to official
acts, transactions, or decisions, as well as to government research data used as basis for
policy development, shall be afforded the citizen, subject to such limitations as may be
provided by law.
 EXECUTIVE ORDER NO. 2, 2016

OPERATIONALIZING IN THE EXECUTIVE BRANCH THE PEOPLE’S CONSTITUTIONAL

RIGHT TO INFORMATION AND THE STATE POLICIES TO FULL PUBLIC DISCLOSURE
AND TRANSPARENCY IN THE PUBLIC SERVICE AND PROVIDING GUIDELINES
THEREFOR
 INVENTORY OF EXCEPTIONS TO EO NO. 2
1. Information covered by Executive privilege;
2. Privileged information relating to national security, defense or international relations;
3. Information concerning law enforcement and protection of public and personal safety;
4. Information deemed confidential for the protection of the privacy of persons and certain
individuals such as minors, victims of crimes, or the accused;
5. Information, documents or records known by reason of official capacity and are deemed as
confidential, including those submitted or disclosed by entities to government agencies, tribunals,
boards, or officers, in relation to the performance of their functions, or to inquiries or investigation
conducted by them in the exercise of their administrative, regulatory or quasi-judicial powers;
6. Prejudicial premature disclosure;
7. Records of proceedings or information from proceedings which, pursuant to law or relevant rules
and regulations, are seated as confidential or privileged;
8. Matters considered confidential under banking and finance laws, and their amendatory laws; and
9. Other exceptions to the right to information under laws, jurisprudence, and regulations.

(Memorandum from the Executive Secretary dated November 24, 2016)

 THERE MUST BE ADEQUATE SAFEGUARDS

The accountability principle as well as the criteria and principles of data

processing and data sharing require that adequate safeguards are in place,
for both information controller and information processor, to protect the
privacy of personal data.
(Secs. 11, 12, 13 and 14, DPA)
 EVEN EO NO. 2 PROTECTS PRIVACY

While providing access to information, public records, and official records, responsible officials shall afford
full protection to an individual's right to privacy as follows:
(a) Each government office per Section 2 hereof shall ensure that personal information in its custody or
under its control is disclosed or released only if it is material or relevant to the subject matter of the
request and its disclosure is permissible under this Order or existing laws, rules or regulations;
(b) Each government office must protect personal information in its custody or control by making
reasonable security arrangements against leaks or premature disclosure of personal information which
unduly exposes the individual whose personal information is requested to vilification, harassment, or
any other wrongful acts, and
(c) Any employee or official of a government office per Section 2 hereof who has access, authorized or
unauthorized, to personal information in the custody of the office must not disclose that information
except when authorized under this, Order or pursuant to existing laws, rules or regulations.
(Sec. 7, EO2)
HENCE, THE NEED FOR SECURITY MEASURES
TO PROTECT PERSONAL DATA

Personal information controllers and personal information

processors shall implement reasonable and appropriate
organizational, physical, and technical security measures for
the protection of personal data.
(Sec. 20, DPA; Sec. 25, IRR)
GUIDELINES FOR ORGANIZATIONAL SECURITY

• Compliance Officers/Data Protection Officer

• Data Protection Policies
• Records of Processing Activities
• Management of Human Resources
• Processing of Personal Data
• Contracts with Personal Information Processors
(Sec. 26, IRR)
GUIDELINES FOR PHYSICAL SECURITY

• Policies and Procedures to monitor and limit access and activities

• Design of office space and workstations
• Clearly define duties, responsibilities and schedule of individuals involved in the
processing
• Policies and procedures regarding the transfer, removal, disposal, and re-use of
electronic media
• Policies and procedures that prevent the mechanical destruction of files and
equipment shall be established
(Sec. 27, IRR)
GUIDELINES FOR TECHNICAL SECURITY
a. A security policy with respect to the processing of personal data;
b. Safeguards to protect their computer network against accidental, unlawful or unauthorized
usage
c. Ensure confidentiality, integrity, availability, and resilience
d. Regular monitoring for security breaches, and a process both for identifying and assessing
vulnerabilities, and for taking preventive, corrective, and mitigating action
e. The ability to restore the availability and access to personal data in a timely manner
f. A process for regularly testing, assessing, and evaluating the effectiveness of security
measures;
g. Encryption of personal data during storage and while in transit, authentication process, and
other technical security measures that control and limit access.

(Sec. 27, IRR)

PRIVACY.GOV.PH QUICK GUIDE

Also, to observe the criteria for lawful processing of personal and sensitive personal information.
THE NATIONAL PRIVACY COMMISSION
 FUNCTIONS OF THE NPC

• Rule Making
• Advisory
• Public Education
• Compliance and Monitoring
• Complaints and Investigations
• Enforcement
• Other functions
(Sec. 9, IRR)
 COMPLIANCE AND MONITORING

• Registration of personal data processing systems operating in the country that

involves accessing or requiring sensitive personal information of at least one
thousand (1,000) individuals;
• Notification of automated processing operations where the processing
becomes the sole basis of making decisions that would significantly affect the
data subject;
• Annual report of the summary of documented security incidents and personal
data breaches; and
• Compliance with other requirements that may be provided in other issuances
of the Commission.
(Sec. 46, IRR)
 REGISTRATION OF PERSONAL DATA
PROCESSING SYSTEMS
• Registration of personal data processing systems operating in the country that
involves accessing or requiring sensitive personal information of at least one
thousand (1,000) individuals, including the personal data processing system of
contractors, and their personnel, entering into contracts with government agencies;
(Sec. 46[a], DPA)

• The personal information controller or personal information processor that

employs fewer than two hundred fifty (250) persons shall not be required to
register unless the processing it carries out is likely to pose a risk to the rights and
freedoms of data subjects, the processing is not occasional, or the processing
includes sensitive personal information of at least one thousand (1,000) individuals.
(Sec. 47, DPA)
 NOTIFICATION OF AUTOMATED PROCESSING
SYSTEMS
The personal information controller carrying out any wholly or partly
automated processing operations or set of such operations intended to
serve a single purpose or several related purposes shall notify the
Commission when the automated processing becomes the sole basis
for making decisions about a data subject, and when the decision
would significantly affect the data subject.
(Sec. 48, DPA)
 NOTIFICATION OF AUTOMATED PROCESSING
SYSTEMS

No decision with legal effects concerning a data subject shall

be made solely on the basis of automated processing
without the consent of the data subject.
(Sec. 48 [b], DPA)
 ANNUAL REPORTS

All security incidents and personal data breaches shall be documented through
written reports, including those not covered by the notification requirements. In the
case of personal data breaches, a report shall include the facts surrounding an
incident, the effects of such incident, and the remedial actions taken by the personal
information controller. In other security incidents not involving personal data, a
report containing aggregated data shall constitute sufficient documentation. These
reports shall be made available when requested by the Commission. A general
summary of the reports shall be submitted to the Commission annually.
(Sec. 41[b], IRR)
"Security incident" is an event or occurrence
that affects or tends to affect data protection,
or may compromise the availability, integrity
and confidentiality of personal data. It
includes incidents that would result to a
personal data breach, if not for safeguards
that have been put in place.
"Personal data breach" refers to a breach of
security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data
transmitted, stored, or otherwise processed;
 DATA BREACH NOTIFICATION
The personal information controller shall promptly notify the Commission and
affected data subjects when:
• sensitive personal information; or
• other information that may, under the circumstances, be used to enable identity
fraud
• are reasonably believed to have been acquired by an unauthorized person; and
• the personal information controller or the Commission believes that such
unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject.
(Sec. 20[f], DPA)
 DATA BREACH NOTIFICATION

Within 72 hours . . .
upon knowledge of, or when there is reasonable belief by the personal information controller
or personal information processor that, a personal data breach requiring notification has
occurred.
(Sec. 38[a], IRR)
 CONTENT OF THE NOTICE

The notification shall at least describe the nature of the breach, the
sensitive personal information possibly involved, and the measures
taken by the entity to address the breach. Notification may be delayed
only to the extent necessary to determine the scope of the breach, to
prevent further disclosures, or to restore reasonable integrity to the
information and communications system.
(Sec. 20[f], DPA)
The content and information of the complete breach report is needed by
the Commission in order to determine whether [a PIC] has acted
adequately in order to protect the rights of the affected data subject and to
see if [it] has undertaken measures to avoid further damage and prevent
similar incidents from recurrence.
(In Re: Rokko & Associates, Inc., CID BN 19-034, 21 September 2020)
Notification of data subjects of a personal data breach is the general rule and exemptions
are allowed only under specific circumstances. The purpose of the requirement to notify
data subjects of a breach incident is to give them the opportunity to take the necessary
precautions or such other measures to protect themselves against possible effects of the
breach. PICs are likewise required to establish all reasonable mechanisms to ensure that
all affected data subjects are made aware of the breach. A delay in notification can cause
harm to affected data subjects as they cannot protect themselves from the consequences
of the breach.
(IN RE: BPI PHILAMLIFE ASSURANCE CORP., NPC BN No. 21-054, 15 April 2021)
COMPLIANCE WITH OTHER REQUIREMENTS

PRIVACY.GOV.PH QUICK GUIDE

QUASI-JUDICIAL POWER
 THE NPC SHALL . . .

Receive complaints, institute investigations, facilitate or enable

settlement of complaints through the use of alternative dispute
resolution processes, adjudicate, award indemnity on matters affecting
any personal information, prepare reports on disposition of complaints
and resolution of any investigation it initiates, and, in cases it deems
appropriate, publicize any such report;
(Sec. 7[b], DPA)
 THE NPC CAN ALSO . . .

Issue cease and desist orders, impose a temporary or permanent ban

on the processing of personal information, upon finding that the
processing will be detrimental to national security and public interest;
(Sec. 7[c], DPA)
 APPEALS

Appeal from final decisions of the Commission shall be made to the

proper courts in accordance with the Rules of Court, or as may be
prescribed by law.
(Sec. 66)
 AVAILABLE SANCTIONS FOR VIOLATION OF
THE DPA

Violation of the Act is punishable criminally, civilly, and administratively.

CRIMINAL SANCTIONS
Recommend to the Department of Justice (DOJ) the prosecution and
imposition of penalties specified in Sections 25 to 29 of this Act;
(Sec. 7[i], DPA)
The president of a condo corporation posted a letter, containing complainants’ personal
information as delinquent unit owners with unpaid dues, in public spaces of the condo, and
published the same in a magazine distributed to unit owners.
This is unauthorized disclosure. Unauthorized disclosure is committed when a perpetrator
processes personal information without any lawful basis; conversely, the presence of any lawful
criteria is sufficient to justify the processing of personal or sensitive personal information.
Requisites unauthorized disclosure: (1) perpetrator is PIC/P; (2) perpetrator disclosed
information; (3) information relates to personal or sensitive personal information; (4) perpetrator
disclosed personal or sensitive personal information to a third party; (5) disclosure was without
any lawful basis; (6) disclosure is neither malicious nor done in bad faith and information
disclosed is not unwarranted nor false.
(MVC v. DSL, NPC 21-010 to 015, 3 February 2022)
PRIVACY.GOV.PH QUICK GUIDE
 IF THE OFFENDER IS A JURIDICAL PERSON

• the penalty shall be imposed upon the responsible officers,

as the case may be, who participated in, or by their gross
negligence, allowed the commission of the crime.
• the court may suspend or revoke any of its rights under the
DPA.
(Sec. 34, DPA)
 IF THE OFFENDER IS AN ALIEN

• he or she shall, in addition to the penalties herein

prescribed, be deported without further proceedings after
serving the penalties prescribed.
(Sec. 34, DPA)
 IF THE OFFENDER IS A PUBLIC OFFICIAL OR
EMPLOYEE

. . . and such public official or employee is found guilty of acts penalized

under Sections 27 and 28 of this Act, he or she shall, in addition to the
penalties prescribed herein, suffer perpetual or temporary absolute
disqualification from office, as the case may be.
(Sec. 34, DPA)
 IF THE OFFENDER IS A PUBLIC OFFICER

When the offender or the person responsible for the offense is a

public officer as defined in the Administrative Code of the
Philippines in the exercise of his or her duties, an accessory
penalty consisting in the disqualification to occupy public office
for a term double the term of criminal penalty imposed shall be
applied.

(Sec. 36, DPA)

 LARGE-SCALE OFFENSE

The maximum penalty in the scale of penalties respectively provided

for the preceding offenses shall be imposed when the personal
information of at least one hundred (100) persons is harmed, affected
or involved as the result of the abovementioned actions.
(Sec. 35, DPA)
CIVIL INDEMNITY
 RESTITUTION AND INDEMNITY

• Restitution for any aggrieved party shall be governed by the provisions of the New Civil
Code. (Sec. 37, DPA)
• Pursuant to the exercise of its quasi-judicial functions, the Commission shall award
indemnity to an aggrieved party on the basis of the provisions of the New Civil Code.
Any complaint filed by a data subject shall be subject to the payment of filing fees,
unless the data subject is an indigent.(Sec. 7[b], DPA; Sec. 64, IRR)
ADMINISTRATIVE SANCTIONS
 CEO, CDO, BAN, FINE

Violations of the Act, these Rules, other issuances and orders of the
Commission, shall, upon notice and hearing, be subject to compliance and
enforcement orders, cease and desist orders, temporary or permanent ban
on the processing of personal data, or payment of fines, in accordance with
a schedule to be published by the Commission.
(Sec. 65. IRR)
LIST OF CASES
 CASES
General Privacy Cases:
• Morfe v. Mutuc, G.R. No. L-20387, January 31, 1968

• People v. Marti, G.R. No. 81561, January 18, 1991

• Ople v. Torres, G.R. No. 127685, July 23, 1998
• Pollo v. Constantino-David, G.R. No. 181881, October 18, 2011

• Disini, Jr. v. Secretary of Justice, G.R. Nos. 203335, etc., February 18, 2014
• De Leon v. Duterte, G.R. No. 252118, May 8, 2020
• Kilusang Mayo Uno v. Director-General, G.R. Nos. 167798 & 167930, April 19, 2006
 CASES

General Privacy Cases:

• Roan v. Gonzales, G.R. No. 71410, November 25, 1986

• Abines v. Duque III, G.R. No. 235891, [September 20, 2022])

• Sister Versoza v. People, G.R. No. 184535 (Resolution), [September 3, 2019])
• White Light Corp. v. City of Manila, G.R. No. 122846, [January 20, 2009], 596 PHIL 444-472)

• In the Matter of the Petition for Writ of Habeas Corpus/Data v. De Lima, G.R. Nos. 215585 &
215768, [September 8, 2020])
• Hilado v. Reyes, G.R. No. 163155, July 21, 2006
• Zarate v. Aquino III, G.R. No. 220028 (Notice), November 10, 2015
 CASES
General Privacy Cases:
• Re Request for Copy of 2008 SALN, A.M. Nos. 09-8-6-SC & 09-8-07-CA (Resolution), June 13,
2012
• Subido Pagente Certeza Mendoza and Binay Law Offices v. Court of Appeals, G.R. No. 216914,
December 6, 2016
• Re: Rolando Espinosa, Sr., A.M. Nos. RTJ-17-2494 & RTJ-19-2557, January 26, 2021
• Yonzon v. Coca-Cola Bottlers Philippines, Inc., G.R. No. 226244 , June 16, 2021
• Calleja v. Executive Secretary, G.R. Nos. 252578, etc., December 7, 2021
• Vivares v. St. Theresa's College, G.R. No. 202666, September 29, 2014
• Office of the Court Administrator v. Atillo, Jr., A.M. No. RTJ-21-018, September 29, 2021
• Gamboa v. Chan, G.R. No. 193636, July 24, 2012
Data Privacy Act cases:
• Cadajas v. People, G.R. No. 247348, November 16, 2021
• Philippine Stock Exchange v. Secretary of Finance, G.R. No. 213860, July 5, 2022
National Privacy Commission Decisions:

• NPC, Advisory Opinion, No. 2022-0241

• NPC Advisory 20-04
• In Re: FLI Operating ABC Online Lending Application, NPC 19-910, 17 December 2020
• JDB v. JME, NPC 21-032, 16 May 2022
• In Re: Rokko & Associates, Inc., CID BN 19-034, 21 September 2020
• In re: BPI PhilamLife Assurance Corp., NPC BN No. 21-054, 15 April 2021
• MVC v. DSL, NPC 21-010 to 015, 3 February 2022
• Pieceland Corporation v. Manila New Life Church Inc., Court of Appeals, CA-G.R. SP NO. 168952,
December 14, 2021 (NPC Case No. 19-528)
 IF YOU CAN’T PROTECT IT, DON’T COLLECT IT.
THE DATA PRIVACY GOLDEN RULE

CREDIT: NATIONAL PRIVACY COMMISSION