Data Privacy Act

avatar
Created by
Yvanna Cyrene

Cards (47)

  • Title
    Implementing Rules and Regulations of the Data Privacy Act of 2012
  • Scope
    • The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector
    • They apply to an act done or practice engaged in and outside of the Philippines if: the natural or juridical person involved in the processing of personal data is found or established in the Philippines, the act, practice or processing relates to personal data about a Philippine citizen or Philippine resident, the processing of personal data is being done in the Philippines, or the act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines
  • Special Cases
    • Information processed for purpose of allowing public access to information that fall within matters of public concern
    • Personal information processed for journalistic, artistic or literary purpose
    • Personal information that will be processed for research purpose, intended for a public benefit
    • Information necessary in order to carry out the functions of public authority
    • Information necessary for banks, other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas, and other bodies authorized by law
    • Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions
  • Protection afforded to Data Subjects
    • The personal information controller or personal information processor shall uphold the rights of data subjects, and adhere to general data privacy principles and the requirements of lawful processing
    • The burden of proving that the Act and these Rules are not applicable to a particular information falls on those involved in the processing of personal data or the party claiming the non-applicability
    • The determination of any exemption shall be liberally interpreted in favor of the rights and interests of the data subject
  • Protection Afforded to Journalists and their Sources
    • Publishers, editors, or duly accredited reporters of any newspaper, magazine or periodical of general circulation shall not be compelled to reveal the source of any news report or information appearing in said publication if it was related in any confidence to such publisher, editor, or reporter
    • Publishers, editors, or duly accredited reporters who are likewise personal information controllers or personal information processors within the meaning of the law are still bound to follow the Data Privacy Act and related issuances with regard to the processing of personal data, upholding rights of their data subjects and maintaining compliance with other provisions that are not incompatible with the protection provided by Republic Act No. 53
  • Mandate
    The National Privacy Commission is an independent body mandated to administer and implement the Act, and to monitor and ensure compliance of the country with international standards set for personal data protection
  • Functions
    • Rule Making
    • Advisory
    • Public Education
  • Commission
    Advisory body on matters affecting protection of personal data
  • Functions of the Commission
    1. Commenting on implications of proposed statutes, regulations or procedures on data privacy
    2. Reviewing, approving, rejecting, or requiring modification of privacy codes
    3. Providing assistance on matters relating to privacy or data protection
    4. Assisting Philippine companies doing business abroad to respond to data protection laws and regulations
  • Public Education functions of the Commission

    1. Publishing a guide to all laws relating to data protection
    2. Publishing a compilation of agency system of records and notices
    3. Coordinating with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal data in the country
  • Compliance and Monitoring functions of the Commission
    1. Ensuring compliance by personal information controllers with the provisions of the Act
    2. Monitoring the compliance of all government agencies or instrumentalities as regards their security and technical measures
    3. Negotiating and contracting with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws
    4. Managing the registration of personal data processing systems in the country
  • Complaints and Investigations functions of the Commission
    1. Receiving complaints and instituting investigations regarding violations
    2. Summoning witnesses, and requiring the production of evidence
    3. Facilitating or enabling settlement of complaints through the use of alternative dispute resolution processes
    4. Preparing reports on the disposition of complaints and the resolution of any investigation it initiates
  • Enforcement functions of the Commission
    1. Issuing compliance or enforcement orders
    2. Awarding indemnity on matters affecting any personal data, or rights of data subjects
    3. Issuing cease and desist orders, or imposing a temporary or permanent ban on the processing of personal data
    4. Recommending to the Department of Justice the prosecution of crimes and imposition of penalties
    5. Compelling or petitioning any entity, government agency, or instrumentality, to abide by its orders or take action
    6. Imposing administrative fines for violations
  • Administrative Issuances of the Commission

    • Rules of procedure in the exercise of its quasi-judicial functions
    • Schedule of administrative fines and penalties
    • Procedure for registration of data processing systems, and notification
    • Other administrative issuances consistent with its mandate and other functions
  • The Commission shall report annually to the President and Congress regarding its activities
  • Members, employees, and consultants of the Commission shall ensure confidentiality of any personal data that come to their knowledge and possession
  • Organizational Structure of the Commission
    • Headed by a Privacy Commissioner
    • Assisted by two Deputy Privacy Commissioners
    • Authorized to establish a Secretariat
  • General Data Privacy Principles
    • Transparency
    • Legitimate purpose
    • Proportionality
  • Principles of Transparency
    • Data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data
    • Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language
  • Principle of Legitimate Purpose
    The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy
  • Principle of Proportionality
    • The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose
    • Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means
  • General principles in collection, processing and retention

    • Collection must be for a declared, specified, and legitimate purpose
    • Personal data shall be processed fairly and lawfully
    • Processing should ensure data quality
    • Personal Data shall not be retained longer than necessary
    • Any authorized further processing shall have adequate safeguards
  • Principles for Data Sharing
    • Data sharing shall be allowed when it is expressly authorized by law
    • Data sharing shall be allowed in the private sector if the data subject consents to data sharing, and certain conditions are complied with
    • Data collected from parties other than the data subject for purpose of research shall be allowed when the personal data is publicly available, or has the consent of the data subject
    • Data sharing between government agencies for the purpose of a public function or provision of a public service shall be covered a data sharing agreement
  • Sensitive Personal Information and Privileged Information
    The processing of sensitive personal and privileged information is prohibited, except in certain cases
  • The data sharing agreement shall be subject to review of the Commission, on its own initiative or upon complaint of data subject
  • Sensitive Personal Information and Privileged Information processing

    1. Consent is given by data subject, or by the parties to the exchange of privileged information, prior to the processing
    2. The processing is provided for by existing laws and regulations
    3. The processing is necessary to protect the life and health of the data subject or another person
    4. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations
    5. The processing is necessary for the purpose of medical treatment
    6. The processing concerns sensitive personal information or privileged information necessary for the protection of lawful rights and interests of natural or legal persons
  • Right to be informed
    The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling
  • Information the data subject shall be notified and furnished with
    • Description of the personal data to be entered into the system
    • Purposes for which they are being or will be processed
    • Basis of processing
    • Scope and method of the personal data processing
    • The recipients or classes of recipients to whom the personal data are or may be disclosed
    • Methods utilized for automated access
    • The identity and contact details of the personal data controller or its representative
    • The period for which the information will be stored
    • The existence of their rights as data subjects
  • Right to object
    The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling
  • Right to Access
    The data subject has the right to reasonable access to, upon demand, the contents of his or her personal data, sources, recipients, manner of processing, reasons for disclosure, information on automated processes, date of last access and modification, and the designation, name or identity, and address of the personal information controller
  • Right to rectification
    The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly
  • Right to Erasure or Blocking
    The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller's filing system
  • Right to damages
    The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data
  • The rights of the data subject shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject
  • The rights of the data subject shall not be applicable to the processing of personal data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject
  • Penalties for unauthorized processing of personal information and sensitive personal information

    1. Imprisonment ranging from 1-3 years and fine of Php500,000-Php2,000,000 for personal information
    2. Imprisonment ranging from 3-6 years and fine of Php500,000-Php4,000,000 for sensitive personal information
  • Penalties for accessing personal information and sensitive personal information due to negligence
    1. Imprisonment ranging from 1-3 years and fine of Php500,000-Php2,000,000 for personal information
    2. Imprisonment ranging from 3-6 years and fine of Php500,000-Php4,000,000 for sensitive personal information
  • Penalties for improper disposal of personal information and sensitive personal information

    1. Imprisonment ranging from 6 months-2 years and fine of Php100,000-Php500,000 for personal information
    2. Imprisonment ranging from 1-3 years and fine of Php100,000-Php1,000,000 for sensitive personal information
  • Penalties for processing of personal information and sensitive personal information for unauthorized purposes
    1. Imprisonment ranging from 1 year 6 months-5 years and fine of Php500,000-Php1,000,000 for personal information
    2. Imprisonment ranging from 2-7 years and fine of Php500,000-Php2,000,000 for sensitive personal information
  • Penalties for unauthorized access or intentional breach

    Imprisonment ranging from 1-3 years and fine of Php500,000-Php2,000,000