Copyright Notice ©

The modules, lectures presented (printed, power point, recorded), pop quizzes,
and bulletins issued by the UP Law Center during its paralegal training
programs/courses are subject of copyright protection.

Unauthorized use, copying, reproduction, sharing, distribution or alteration

thereof may constitute violation of intellectual property laws and give rise to
civil and criminal liability.

Copyright © 2023. University of the Philippines Law Center.

All rights reserved.
 DATA PRIVACY ACT
PRIMER
UP LAW CENTER PARALEGAL TRAINING PROGRAM
 Why is this relevant?
vAn understanding of data privacy regulations
is crucial to navigating this increasingly digital
age where information itself is an asset
exploited by different persons/companies.
vPersons (natural and juridical) must be aware
of their responsibilities with regard to personal
data.
vPersons (who own their own data) must
likewise be aware of their rights under the law.
Data Privacy Act (DPA) of 2012 in a nutshell
Processing of personal information shall be allowed, subject to
adherence to the principles of transparency, legitimate purpose,
and proportionality. The fundamental right of persons to
privacy shall be upheld.

Prior to enactment of the law, specific privacy laws existed to

protect specific types of information: privileged
communications, secrecy of bank accounts, etc.

The DPA provided a general privacy regulation applicable for

personal data in general.
 Objectives of the Data Privacy Act
(DPA) of 2012
The DPA’s objective is to secure personal data
in information and communication systems in
the government and private sectors.

It aims to protect a person’s fundamental

human right to privacy while ensuring the free
flow of information to promote innovation and
growth.
NATIONAL PRIVACY COMMISSION

The NPC is an independent body mandated to

administer and implement the Data Privacy Act and to
monitor and ensure compliance therewith. Functions:
ØRule-making
ØAdvisory
ØCompliance and Monitoring
ØComplaints and Investigations
ØEnforcement
Who are required to register?
vAll natural and juridical persons employing at least
250 employees; and
vNatural and juridical entities that employ fewer than
250 persons if the data processing:
•is likely to pose a risk to the rights and freedoms of
data subjects,
•is not occasional, or
•includes sensitive personal information of at least
1,000 individuals.

* A data processing system involving automated decision-making or profiling shall

in all instances be registered with the Commission. (NPC Circular 2022-04)
 Who are required to register?
(NPC Circular No. 2017-01)
Entities whose data processing are likely to pose a risk to the
rights and freedoms of data subjects:
• Banks and non-bank financial institutions, including pawnshops and non-
stock savings and loan associations;
• Telco networks and ISPs;
• Business process outsourcing companies;
• Universities, colleges, schools and training institutions;
• Hospitals, clinics, diagnostic or therapeutic facilities, etc.;
• Insurance and pre-need companies, including insurance brokers;
• Businesses involved in direct marketing, networking and those with
reward cards and loyalty programs;
• Pharmaceutical companies engaged in research; and
• PIPs processing personal data for the abovementioned entities.

*See also (NPC Circular 2022-04)

 Definition of Terms
Processing of Personal Data - refers to the collection,
recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation,
blocking, erasure, or destruction of data.

Personal Information – refers to any information,

whether recorded in a material form or not, from which
the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity
holding the information, or when put together with
other information would directly and certainly identify
an individual.
 Definition of Terms
Sensitive Personal Information – information
about an individual’s
•race, ethnicity, marital status, age, color, and religious,
philosophical or political affiliations;
•health, education, genetic or sexual life, proceeding for
any offense committed or alleged to have been committed by
the person;
•Government-issued information peculiar to an individual
such as Social Security Numbers, previous or current health
records, licenses or denials/ suspension/ revocation, and tax
returns; and
•Classified information pursuant to an Executive Order or act
of Congress (law).
 Definition of Terms
Personal Information Controller (“PIC”) – natural/juridical
person or any other body who controls the processing of
personal data or instructs another to process personal data on
its behalf, it excludes:
•Those who perform such functions as
instructed by another person or organization;
•a natural person who processes data in connection with his or
her personal, family, or household affairs.

Personal Information Processor (“PIP”) – natural/juridical

person or any other body to whom a PIC may outsource or
instruct the processing of personal data pertaining to a data
subject.
FIVE PILLARS OF DATA PRIVACY
ACCOUNTABILITY AND
COMPLIANCE
1. Commit to Comply (Registration of DPO)
2. Assess your Risks (Privacy Impact Assessment)
3. Be Accountable (Develop Privacy Manual)
4. Demonstrate your Compliance (Implement
Policies)
5. Be Prepared for Breach (Exercise Breach
Reporting Procedures)
REGISTRATION WITH THE NPC
vPHASE 1 REGISTRATION: REGISTRATION OF DATA PROTECTION
OFFICER (DPO)
• Deadline was September 9, 2017.

vPHASE 2 REGISTRATION: REGISTRATION OF DATA PROCESSING

SYSTEM
• Deadline was March 8, 2018 for Juridical Entities and July 2, 2018 for
covered professionals (individuals).
Phase One: Registration of DPO
vDesignate a Data Protection Officer
(DPO) and/or Compliance Officer for
Privacy (COP), if applicable.

vRegister with the National Privacy

Commission (NPC).
Phase One: Registration of DPO
vData Protection Officer (DPO) - individual designated by the head of
agency or organization to be accountable for its compliance with the Data
Privacy Act.

vCompliance Officer for Privacy (COP) - individual(s) who perform

some of the functions of a DPO in the following cases:
• May be designated by a private entity for each component unit if it has
branches, sub-offices, or any other component units.
• Subject to the approval of the NPC, a group of related companies may
appoint or designate the DPO of one of its members to be primarily
accountable for ensuring the compliance of the entire group with all data
protection policies. Where such common DPO is allowed by the NPC,
the other members of the group must still have a COP.
 Phase Two: Registration of DPS

vConduct Privacy Impact Assessment

•Process to understand the personal data flow in the
organization and to determine the security risks.
This assessment will trace the life cycle of the data,
from collection to destruction.
vDraft Privacy Manual
vRegister your Data Processing Systems
 Privacy Impact Assessment
Objectives
•Identify, assess, evaluate and manage the risks
represented by the processing of personal data; and
•Ensure compliance with the Data Privacy Act, its
IRR and NPC Advisories
•Organizational, Physical and Technical Security
•Uphold the rights of data subjects
•Adherence to the guiding principles for data processing
 GUIDING PRINCIPLES FOR DATA
PROCESSING
vTRANSPARENCY
•Is your data subject aware of the nature, purpose and extent
of the processing of his personal data, including the risks and
his rights as data subject?
vLEGITIMATE PURPOSE
•Is your data collection and processing pursuant to a
declared and specified purpose?
vPROPORTIONALITY
•Are you only collecting data enough for your stated
purpose?
 RIGHTS OF DATA SUBJECTS
vRight to be informed
vRight to reasonable access to personal information
vRight to dispute and rectify record of personal
information
vRight to object to processing of personal data
vRight to suspend, withdraw consent or request
removal of personal data from PIC’s filing system
vRight to damages
vRight to data portability
 Lawful Processing of Personal
Information
Processing of personal information shall be permitted ONLY if not
otherwise prohibited by law, AND when at least one of the following
conditions exists:
vData Subject has given his consent;
vProcessing is necessary and is related to the fulfillment of a contract with
the Data Subject or in order to take steps at the request of the Data Subject
prior to entering into a contract;
vProcessing is in compliance with a legal obligation of the PIC;
vProcessing is necessary to protect vitally important interests of the Data
Subject, including life and health;
vProcessing is necessary in order to respond to national emergency; and
vProcessing is necessary for the purposes of the legitimate interests*
pursued by the PIC, except where such interests are overridden by
fundamental rights and freedom of the Data Subject.
What constitutes ‘legitimate interest’?
In order to use legitimate interest as basis for lawful processing, a
PIC must consider the following:
vPurpose test- the existence of a legitimate interest must be clearly
established, including a determination of what the particular
processing operation seeks to achieve;
vNecessity test- the processing of personal information must be
necessary for the purposes of the legitimate interest pursued by the
PICs or third party to whom personal information is disclosed, where
such purpose could not reasonably be fulfilled by other means; and
vBalancing test- the fundamental rights and freedoms of data
subjects should not be overridden by the legitimate interests of the
PIC, considering the likely impact of the processing on the data
subjects.

*NPC Advisory Opinion No. 2019-023

 Lawful Processing of Sensitive
Personal Information
Processing of sensitive personal information shall be prohibited, except in
the following cases:
vData Subject has given his consent PRIOR to processing;
vProcessing is provided for by existing laws and regulations and consent is
not otherwise required by law or regulations;
vProcessing is necessary to protect the life and health of the Data Subject
and the Data Subject is not legally or physically able to express consent
prior to processing;
vProcessing is necessary for purposes of medical treatment; and
vProcessing concerns such personal information as is necessary for the
protection of lawful rights and interests of natural or legal persons in court
proceedings, or the establishment, exercise or defense of legal claims, or
when provided to government or public authority.
 Breach Reporting Requirement
In cases of breaches satisfying the following criteria,
notification to the NPC and affected Data Subjects within 72
hours is required:

vBreach involving sensitive personal information or

information that could be used for identity fraud,
vPIC has reasonable belief that unauthorized access has
occurred,
v risk to the Data Subject is real, and
vPotential harm is serious.
 NPC Commission Orders/MCs
(DPA in Operation)
vCIBDN No. 17-043: Jollibee Online Delivery shut down
(whitehacking incident led to closure of Jollibee Online Delivery)
vCIBD No. 18-058: Wendy’s website breach (breach of website and
online publication of online database of Wendy’s)
vIN RE: Violation of the DPA by several companies operating online
lending applications (ban on processing personal data)
v(Cease and Desist Order and Notice of Deficiencies dated 31
January 2020) NPC suspends GRAB PH’s selfie verification, audio,
video recording systems
vJoint (NPC and DOH) Memorandum Circular No. 2020-002
(Privacy Guidelines on the Processing and Disclosure of COVID-19
Related Data for Disease Surveillance and Response)
 General Reminders:
vThe DPA requires the free and informed consent of the individual
from whom personal data is collected. Consent should be time-
bound in relation to the declared, specified and legitimate purpose
and may be withdrawn.
• Forms must explicitly ask consent from the individual.

vData Sharing (with third party or affiliates) is allowed provided

that:
• there are adequate safeguards for data privacy and security
(including the execution of a Data Sharing Agreement);
• it adheres to the principles of transparency, legitimate purpose and
proportionality; and
• the individual consents to data sharing.
 What should your company do?
vAssess Data Flow (all collections and all sharing) through the
conduct of the Privacy Impact Assessment
vDraft Privacy Manual
vImplementation
• Revise company forms (HR forms, client forms, etc.) and standard
contracts
• Review physical and technical security measures intended to
ensure data privacy
• Execute Data Sharing Agreements where the company shares
personal information with other entities (including affiliated
companies) for commercial purposes.
What should your company do?
vBe mindful of application of Data Privacy Act in all aspects
of operations:
•Include Privacy Notice in your websites
•Inform people that there are CCTVs in your
offices/establishments
•Have standard privacy clauses in contracts
•Identify all information systems (i.e. reception/building
visitor registration is actually one system) to ensure that all
systems are compliant with the Data Privacy Act
•Have data privacy-related policies in employee or company
manuals
 Penalties
(Responsible Officers are accountable in case of violation committed by Juridical Entities)
Offense Penalty

Unauthorized Processing 1-3 years imprisonment and 500K to 2M fine

(processing data without consent of data subject or not authorized by law)

Unauthorized Access due to Negligence 1-6 years imprisonment and 500K to 4M fine
(negligence in keeping data and allowing access to unauthorized persons)

Improper Disposal 6 months - 2 years imprisonment and

(improper disposal/abandonment of personal information of an individual in an area 100K to 500K fine
accessible to the public or in a container for trash)

Processing for Unauthorized Purposes 1 year and 6 months - 5 years imprisonment and 500K to 1M fine
(processing data for purposes not authorized by the data subject or not authorized by
law)

Unauthorized Access or Intentional Breach 1-3 years imprisonment and 500K to 2M fine
(violation of data confidentiality or hacking)

Concealment of Security Breaches involving Sensitive Personal Information 1 year 6 months - 5 years imprisonment and
(having knowledge of the data breach and failure to report within 72 hours) 500K to 1M fine

Malicious Disclosure Same as above

(disclosure of unwarranted or false information about a person in bad faith)

Unauthorized Disclosure 1-5 years imprisonment and

(disclosure of personal information to third party without consent of data subject) 500K to 2M fine
 LATEST NPC ANNOUNCEMENTS
• ANNOUNCEMENT ON DPS REGISTRATION
• With the launch of the National Privacy Commission Registration System (“NPCRS”) and the
effectivity of NPC Circular No. 2022-04 on 11 January 2023, the Commission will no longer accept
new registration, amendments, and renewal of registration except through the NPCRS portal.
Submission through email, personal filing, ordinary mail, licensed courier service and other mode of
physical submission shall not be considered valid.
• Personal Information Controllers (PICs), Personal Information Processors (PIPs), and Individual
Professionals processing personal data who are covered by mandatory registration (Sec. 5 NPC Cir.
22-04) have 180 days or until 10 July 2023 to comply.
• NPC Circular No. 2022-04 can be accessed through this Link
• All PICs/PIPs are directed to create an account, through its Data Protection Officer, and register Data
Processing Systems at Link
• For registration related inquiries, you may reach the us through email
at registrationsupport@privacy.gov.ph
• For system [NPCRS] related inquiries, please email us at adminnpcrs@privacy.gov.ph
• For PICs/PIPs who do not fall under Section 5 on Mandatory Registration of NPC Circular No. 2022-
04, You are required to submit a notarized document of Annex 1 - Sworn Declaration and Undertaking
for Exemption from Registration of Data Processing Systems
at registrationexemption@privacy.gov.ph
• All Certificates of Registration with effectivity dates until the 8th of March
2023 are EXTENDED to 10 July 2023.
• PICs, PIPs, and Individual Professionals holding OLD Certificates of Registration bearing a different
effectivity date shall be considered not-registered.
LATEST NPC ANNOUNCEMENTS
vFor inquiries, email NPC at info@privacy.gov.ph
vFor breach notifications:
With the launch of the DBNMS, the NPC will no longer accept
Breach Notification and Annual Security Incident Report
submissions except through the DBNMS online platform. Thus,
submissions through email, personal filing, ordinary mail,
licensed courier service, and any other mode of physical
submission shall not be considered as valid.
•All Personal Data Breach Notifications and Annual Security
Incident Reports shall be submitted
through https://dbnms.privacy.gov.ph .
vFor complaints, send your complaints-assisted form
to complaints@privacy.gov.ph
THANK YOU!