Scroll Top
What You Should Know About Data Privacy in the Philippines
What You Should Know About Data Privacy in the Philippines

What You Need to Know About Data Privacy in the Philippines

Content Overview:

  • Introduction
  • What is Data Privacy
  • Why is Data Privacy Important
  • Data Privacy in the Philippines
    • Data Privacy Act of the Philippines
      • Relevant Terms and Provisions
  • Data Processing Guidelines
    • Storing Personal Data
    • Disposal of Personal Data

As businesses and industries dive deeper into tech and digital solutions, data has become an invaluable resource that enterprises collect to provide better customer service. This information also allows them to grow and expand their business at an increasing rate when used correctly.

This is collected on a large scale, gaining information from their consumers through registration platforms, inquiries, purchases, and the like. But with such scale, it is normal for customers to be wary of the information they provide, fearing it being leaked, sold, or used immorally by businesses or other third-party attacks.

This is where data privacy comes into play. In this article, we will discuss the Data Privacy Act in the Philippines and its importance in keeping your customer data safe while ensuring full compliance with relevant laws.

What is Data Privacy?

Data privacy ensures the right of an individual to control the collection of, access to, and use of personal information about them that are under the control or custody of the government or the private sector.

It refers to handling various personal information, such as personal health information (PHI) or personally identifiable information (PII). This information collected depends on what the entity is requesting, such as, but not limited to, SSS/GSIS numbers, TIN Numbers, health records, financial data, and personal data.

That said, businesses take advantage of these data to help shape decision-making. Usually, data collection in business can involve the aforementioned, along with other variables that help the company operate. This includes development data, feedback and concerns, proprietary research, etc.

Why is Data Privacy Important?

As an entrepreneur, keeping your customers satisfied and secure must be your highest priority. The same must apply to the collection of sensitive and private data. If such information is leaked or compromised, the safety of your customers and your company can be at risk.

There are many risks associated with data compromise or leakage, which could significantly damage your company. Data breach threats, such as identity theft, discrimination, reputational damage, etc., are a few of the many risks that can be used to damage your company and customers.

Data Privacy in the Philippines

In 2012, the Philippine government enacted the Data Privacy Act of 2012 (DPA) into law to protect personal and sensitive information used in communication systems in public and private sectors in the country.

Moreover, the National Privacy Commission (NPC) was created to administer and implement the regulations provided under DPA while ensuring the country’s data protection compliance is on par with international standards. NPC is the country’s privacy watchdog, an independent body mandated to administer and implement the DPA.

The Salient Terms and Provisions Under DPA

As mentioned above, the primary function of DPA is to protect and regulate the collection of data or personal information while ensuring that the Philippines complies with international data privacy standards.

In this section, we listed the salient features of DPA to help you fully grasp its functions, rules, and regulations.

Legal Definition of Consent and Data Subject under the Data Privacy Act

Consent of the data subject refers to any freely given, specific, informed indication of will whereby the data subject agrees to collect and process personal information about and/or relating to him or her. The consent shall be evidenced by written, electronic, or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

Data subject refers to an individual whose personal information is processed.

Consent of the data subject refers to any freely given, specific, informed indication of will whereby the data subject agrees to collect and process personal information about and/or relating to him or her. The consent shall be evidenced by written, electronic, or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

Data subject refers to an individual whose personal information is processed.

Parameters of Data Processing of Personal Information

Criteria for Lawful Processing of Personal Information. – The processing of personal data can only be allowed when at least one of the following conditions exist unless otherwise prohibited by law:

a. The data subject has provided consent
b. The processing of personal information is necessary and related to the contract
c. The processing is necessary for compliance with a legal obligation
d. The processing is necessary to protect the vital interests of the data subject, including life and health
e. The processing is necessary for national emergencies, public order and safety, or the fulfillment of functions of public authority
f. The processing is necessary for the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed. However, the processing is prohibited if it conflicts with the fundamental rights and freedoms of the data subject protected under the Philippine Constitution. (Section 12 of R.A. 10173, otherwise known as the Data Privacy Act of 2012)

Sensitive Personal Information and Privileged Information. – Cases where the prohibition of processing of sensitive personal information and privileged information is exempted:

a. The data subject or all parties concerned with the privileged information has provided consent for the specific purpose before its processing.
b. If consent for processing is not required by law or regulations, the processing must guarantee the protection of sensitive personal information and privileged information under existing laws and regulations.
c. The processing is necessary to protect the life and health of the data subject or another person if the subject is not legally or physically able to consent to the processing.
d. The processing is necessary to achieve lawful and noncommercial objectives of public organizations and their associations as long as there is consent for the processing, the processing only confines and is related to the bona fide members of the organization, and the sensitive information is not transferred to third parties.
e. The processing is necessary for medical treatment carried out by a medical practitioner or institution while ensuring the protection of personal information.
f. The processing is necessary to protect natural or legal persons’ lawful rights and interests in court proceedings, the establishment, exercise, or defense of legal claims, or when provided to government or public authority. (Section 13 of R.A. 10173, otherwise known as the Data Privacy Act of 2012)

Subcontracting the Processing of Personal Information

Subcontract of Personal Information. – An entity is allowed to subcontract the processing of personal information to a personal information controller (PIC) as long as the PIC ensures the proper safeguard to ensure confidentiality of the information, prevent uses of unauthorized purposes, and comply with the regulations of DPA and other laws concerning the processing of personal information. (Section 14 of R.A. 10173 otherwise known as the Data Privacy Act of 2012)

The Rights of the Data Subject

Rights of the Data Subject. – The data subject is entitled to the following rights during the processing of their personal information:

  • Right to be informed
  • Right to access
  • Right to object to the processing of their personal information (where applicable)
  • Right to correct or rectify their personal information
  • Right to block or remove
  • Right to damages
  • Right to data portability
  • Right to file a complaint

(Section 16 of R.A. 10173 otherwise known as the Data Privacy Act of 2012)

Transmissibility of Rights of the Data Subject. – If the data subject has passed away or becomes incapacitated, their legal heirs or assignees may invoke their data privacy rights. (Section 17 of R.A. 10173, otherwise known as the Data Privacy Act of 2012)

Right to Data Portability. – The data subject has the right to obtain a copy of their data undergoing processing in an electronic or structured format if such information is processed by electronic means in a structured and commonly used format. (Section 18 of R.A. 10173, otherwise known as the Data Privacy Act of 2012)

Security and Accountability of Personal Information

Security of Personal Information. – Personal Information Controllers (PICs) are required to implement adequate and appropriate organizational, physical, and technical measures to protect personal information against any data breaches or unlawful processing risks. The establishment must notify the affected data subject and NPC if any risks occur. (Section 20 of R.A. 10173, otherwise known as the Data Privacy Act of 2012)

Data Privacy Involving Government Entities

Responsibility of Heads of Agencies. – All sensitive information handled or maintained by government agencies must ensure their system complies with DPA and its provisions. NPC shall monitor compliance and may recommend the necessary action to satisfy the minimum standards. (Section 22 of R.A. 10173, otherwise known as the Data Privacy Act of 2012)

Applicability to Government Contractors. – Upon entering into any contract that involves accessing or requiring sensitive personal information from one thousand (1,000) individuals or more, the agency must require a contractor and its employees to register their personal processing system with NPC. (Section 24 of R.A. 10173, otherwise known as the Data Privacy Act of 2012)

Penalties Concerning Data Privacy

Table 1: Penalties based on Chapter VIII of the Data Privacy Act of 2012 and Rule XIII of its IRR

Data Processing Guidelines

As part of the DPA Implementing Rules and Regulations (IRR), they have provided a set of data processing guidelines to ensure proper data privacy compliance among organizations in the Philippines.

Requesting Consent from Data Subject

To protect privacy, the law requires organizations to notify their data subjects with the following information before they enter personal data into any processing system or at the next practical opportunity.

  1. Description of the personal data to be entered into the system
  2. Purposes for which data will be processed (e.g. direct marketing, statistical, scientific etc.)
  3. Basis for processing, especially when it is not based on consent (e.g. public health and safety, mandatory reporting of illness, disease surveillance)
  4. Scope and method of personal data processing
  5. Recipients to whom data may be disclosed
  6. Methods used for automated access by the recipient and the extent to which such access is authorized
  7. Identity and contact details of the Personal Information Controller (PIC) or its representative
  8. The duration for which data will be stored
  9. Existence of the rights of the data subjects

Storing Data Subject’s Information

​​The DPA IRR provides that personal data shall not be retained longer than necessary:

  1. For the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
  2. For the establishment, exercise or defense of legal claims; or
  3. For legitimate business purposes, which must be consistent
  4. With standards followed by the applicable industry or approved by the appropriate government agencies.

Likewise, the retention of personal data shall be allowed in cases provided by law.
In addition, PIC must implement reasonable and appropriate organizational, physical, and technical measures to protect personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.

Disposal of Personal Data

Under the IRR, personal data shall be disposed or discarded securely to prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects. DPA will penalize improper disposal of personal information and sensitive personal information.

Ensure Proper Compliance with Relevant Data Privacy Laws

Being knowledgeable with relevant data privacy rules can help you protect your customers’ privacy and ensure full compliance to avoid unwanted penalties that your company may incur. Moreover, proper handling of data can place you at an advantage, allowing you to maximize your operations and boost growth for your company.

Understanding the various provisions within DPA and its IRR can be confusing. If you find these processes exhaustive, you can reach out to specialized corporate law firms to help you fully grasp the data privacy laws and implement them properly into your business.

Understand The Relevance And Effects Of Data Privacy To Your Business

Our dedicated team of lawyers can assist in navigating the data privacy compliance needs of your business.

Author

  • Atty Catacutan, EJ - CLA

    Atty. Edryne Jeth “EJ” F. Juntilla – Catacutan, is a litigation and corporate lawyer of Carpo Law & Associates. She has been a member of the Integrated Bar of the Philippines since 2016.

    View all posts

Leave a comment