AN ACT PROTECTING INDIVIDUAL

PERSONAL INFORMATION IN
INFORMATION AND COMMUNICATION
SYSTEMS IN THE GOVERNMENT AND
THE PRIVATE SECTOR, CREATING FOR
THIS PURPOSE A NATIONAL PRIVACY
COMMISSION, AND FOR OTHER
PURPOSES
The Data Privacy
Act was signed
into law on
August 15, 2012
and came into
effect on 8
September 2012.
2
State Policies
(Section 2 of RA 10173)
 State policy to protect the fundamental human right of
privacy without hindering free flow of information to
promote innovation and growth
 Vital role of information and communications
technology in nation-building
 State obligation to ensure security and protection of
personal data in information and communications
systems

3
4
5
Scope and Coverage
(Section 4 of RA 10173)

 Includes the processing of all types of

personal information

 Covers any natural or juridical

person involved in personal
information processing
6
7
8
9
10
CHAPTER IV
Rights of the Data Subject

11
12
13
Rights of the Data Subject
Section 16 subsection (a) [Informed process]
1. Data subject has the right to know that
his/her personal data is being
processed, shall be processed or will be
processed
2. Personal data shall never be processed
/ collected without explicit consent
from the data subject

14
Rights of the Data Subject
Section 16 subsection (b) [Furnished info.]
2. Before entry of personal information into the
processing system or at the next practical
opportunity, afford the data subject the right to
be furnished the following information: (8)

a) Description of the information

b) Purpose for processing
c) Scope and method
d) Recipients to whom the info is disclosed

15
Rights of the Data Subject
Section 16 subsection (b) [Furnished info]
e) If allowed by data subject, the methods
utilized for automated access and the extent to
which access is authorized
f) Identity and contact details of the personal
information controller or its representative
g) Period for which the information is stored
h) The existence of their rights such as right to
access, right to correction, and right to lodge a
complaint before the Commission
16
Rights of the Data Subject
Section 16 subsection (b) [Furnished info]
 General Rule:

The information enumerated shall not be

amended without prior notification of data
subject

17
Rights of the Data Subject
Section 16 subsection (b) [Furnished info]
 Exception: When prior notification is not required

1. Personal information needed pursuant to a

subpoena; or
2. Necessary for the performance of a contract; or
3. Necessary/desirable in an employer-employee
relationship between collector and data subject; or
4. Collection and processing of personal
information based on a legal obligation.

18
19
Rights of the Data Subject
Section 16 subsection (c) [Access]
3. Upon demand, reasonable access to the ff: (8)
a) Contents of personal information
processed
b) Source from which info was obtained
c) Names and addresses of recipients
d)Manner by which the data was processed
e)Reasons for disclosure of personal info
f)Information on automated processes
20
Rights of the Data Subject
Section 16 subsection (c) [Access]
g) Date when the personal information was
last accessed and/or modified
h)Designation, name, or identity and the
address of the personal information
controller

21
22
Rights of the Data Subject
Section 16 subsection (d) [Dispute]
4. Dispute the inaccuracy or error in the personal
information; and
have the personal information controller correct
it immediately and accordingly

Except: if request is vexatious or unreasonable

23
Rights of the Data Subject
Section 16 subsection (d) [Dispute]
If personal information is corrected, the personal
information controller shall ensure the accessibility
of both the new and retracted information AND the
simultaneous receipt of both by recipients thereof.

Third Parties who have previously received such

processed personal information shall be informed of
the inaccuracy and its correction upon reasonable
request from the data subject.

24
RIGHT TO REMOVE

25
Rights of the Data Subject
Section 16 subsection (e) [Suspend/Remove]
5. Upon discovery and substantial proof that the personal
information are incomplete, outdated, false,
unlawfully obtained, used for unauthorized
purposes, or are no longer necessary for the purposes
for which they were collected:
Suspend, withdraw or order the blocking, removal or
destruction of the personal information from the
personal information controller’s filing system
The personal information controller may notify third
party recipients of such processed personal
information

26
RIGHT TO DAMAGES

27
Rights of the Data Subject
Section 16 subsection (f) [Damages]

6. Be indemnified for any damages sustained

due to such inaccurate, incomplete, outdated,
false, unlawfully obtained or unauthorized
use of personal information

28
Right to Data Portability
Section 18
 Where personal information is processed by
electronic means and in a structured and commonly
used format, the data subject shall have the right to
obtain from the personal information controller a
copy of the data undergoing processing in an
electronic or structured format, which is commonly
used and allows for further use by the data subject.
The Commission may specify the electronic format
referred to above, as well as technical standards,
modalities and procedures for their transfer.

29
RIGHT TO FILE A COMPLAINT
if personal information has been misused,
maliciously disclosed or improperly disposed.

30
Functions of the Commission
 The National Privacy Commission:
 administers and implements the
provisions of this Act
 monitors and ensures compliance with
international standards set for data
protection

31
Section 8: Confidentiality

The National Privacy Commission

shall ensure at all times the
confidentiality of any personal
information that comes to its
knowledge and possession

32
WHO MAY FILE A COMPLAINT?
 The National Privacy Commission (NPC),
on its own initiative;
 Those who have suffered a data privacy
violation or personal data breach; and
 Persons who are personally affected by a
violation of the Data Privacy Act of 2012
(Republic Act No. 10173).

33
RULE OF EXHAUSTION OF REMEDIES
 This rule means that in filing the complaint,
a complainant must be able to show that
there was an opportunity offered in good
faith to have the respondent comply with
any legal obligations involving data
protection and privacy.

34
HOW TO FILE A COMPLAINT?
File a complaint-affidavit together with copies of any
evidence and witnesses’ affidavit through the
following:

1. in person (hard copy), at the NPC Office;

2. in person (portable electronic data storage
device), at the NPC Office; or
Address:
5th Floor Delegation Building, PICC Complex,
Roxas Blvd, Pasay, Metro Manila 35
 HOW TO FILE A COMPLAINT?
3. electronically, via:
complaints@privacy.gov.ph.

Electronic documents must be digitally

signed and in .PDF format (if practicable)

If submitted in this digital format, the NPC

may charge fees for printing.
36
HOW LONG IS THE PROCESS?
 From the time complaints are received, the Complaints and
Investigation Division of NPC, through its Investigating
Officers, shall conduct initial evaluations on complaints so
received within a reasonable time.

 From here, the entire process, up to final adjudication, should

take four to six months.

 If there is a request to have the NPC issue a temporary stop

processing order so as to enjoin the processing of any data, the
NPC may issue an Order, after due hearing and the payment
of the proper bond. This process can happen from one to two
weeks after the filing of this request.

37
Who may invoke rights of data subject
Section 17
1. Data subject; or

2. Lawful heirs and assigns of the data subject if:

 Data subject is dead

 Data subject is incapacitated or incapable of
exercising his/her rights under this law

38
39
 Data Privacy Principles
There are four general
principles with respect to the
collection and processing of
personal data which personal
information controllers are
obliged to follow or adhere to.
40
CHAPTER III
PROCESSING OF PERSONAL
INFORMATION

41
PRINCIPLE OF TRANSPARENCY

42
PRINCIPLE OF TRANSPARENCY
1. Personal Information Controller must
determine and disclose the purpose for
processing a person’s data before its
collection or as soon as practicable.
2. Consent of the data subject on the
collection and processing of his data
should first be obtained, subject to
exemptions provided by laws and
regulations.
43
PRINCIPLE OF TRANSPARENCY
3. In obtaining his consent, the data subject must be
informed of the nature, purpose, and extent of the
processing of such personal data, including the
risks and safeguards involved, the identity of the
personal information controller, his rights as a
data subject as well as how these can be exercised.

4. Moreover, information provided to a data subject

must always be in clear and plain language to
ensure that they are easy to understand and
access. 44
PRINCIPLE OF LEGITIMATE PURPOSE

45
PRINCIPLE OF LEGITIMATE PURPOSE
Personal Information Controller is obliged to ensure:

1. The collection and processing of information

must also be compatible with a declared and
specified purpose, which must not be contrary
to law, morals, or public policy.

2. Personal data should be processed fairly and

lawfully.

46
PRINCIPLE OF PROPORTIONALITY

47
PRINCIPLE OF PROPORTIONALITY
 the processing of personal information must be
relevant to, and must not exceed, the declared
purpose.
 The personal information may be retained
only for as long as necessary for the fulfillment
of the purposes for which the data was
obtained or for the establishment, exercise, or
defense of legal claims, or as provided by law.

48
DATA QUALITY PRINCIPLE

49
 DATA QUALITY PRINCIPLE
The data quality principle requires
that personal data should be
accurate and kept up to date.

It also requires that inaccurate or

incomplete data be rectified,
supplemented, destroyed, or
restricted.
50
General Principles in the
Processing of Personal
Information

 It is the duty of the personal information

controller to ensure implementation of the
personal information processing principles.

51
CHAPTER VIII: PENALTIES

52
Unauthorized Processing
Section 25
Unauthorized Processing – processing of
information without consent of data subject, or
without being authorized by the law.
(a) For personal information – Imprisonment
between 1 to 3 years and fine between P500,000
to P2,000,000.
(b) For sensitive personal information –
Imprisonment between 3 to 6 years and fine
between P500,000 to P4,000,000.

53
Providing Unauthorized Access
Section 26
Providing Unauthorized Access – Due to negligence,
provides access to information without being
authorized by law.
(a) Personal Information – Imprisonment from 1
to 3 years and fine from P500,000 to P2,000,000.
(b) Sensitive Personal Information –
Imprisonment from 3 to 6 years and fine from
P500,000 to P4,000,000.

54
Improper Disposal
Section 27
 Improper disposal – knowingly or negligently
dispose, discard, or abandon information in a
public area or in a container for trash collection.
(a) Personal Information – Imprisonment from
6 months to 2 years and fine from P100,000 to
P500,000.
(b) Sensitive Personal Information –
Imprisonment from 1 year to 3 years and fine
from P100,000 to P1,000,000.
55
Unauthorized Access or
Intentional Breach – Section 29
 Knowingly and unlawfully (or violating data
confidentiality and security data systems) breaks
into any system where personal and sensitive
personal information are stored.

 Penalty: Imprisonment from 1 to 3 years and fine

from P500,000 to P2,000,000.

56
Combination or Series of Acts
Section 33
 Any combined violations of Section 25 to 32

 Penalty: Imprisonment from 3 to 5 years and fine

from P1,000,000 to P5,000,000.

57
Extent of Liability
Section 34
 If violation is committed by a juridical entity, the
penalty shall be imposed upon the responsible
officers who participated in, or by gross
negligence, allowed the commission of the crime.

 If the offender is a juridical person, the court may

suspend or revoke any of its rights under this Act.

58
Offenses by Public Officer
Section 36

 When violation is committed by a public officer in

the exercise of his/her duties

 Accessory penalty of disqualification to occupy

public office shall be applied for a term double the
period of criminal penalty imposed

59
THANK YOU!

60