Vous êtes sur la page 1sur 26

Republic of the Philippines a system for generating, sending, receiving, storing or

Congress of the Philippines otherwise processing electronic data messages or


Metro Manila electronic documents and includes the computer
Fifteenth Congress system or other similar device by or which data is
Second Regular Session recorded, transmitted or stored and any procedure
Begun and held in Metro Manila, on Monday, the related to the recording, transmission or storage of
twenty-fifth day of July, two thousand eleven. electronic data, electronic message, or electronic
[REPUBLIC ACT NO. 10173] document.
AN ACT PROTECTING INDIVIDUAL (g) Personal information refers to any information
PERSONAL INFORMATION IN whether recorded in a material form or not, from
INFORMATION AND COMMUNICATIONS which the identity of an individual is apparent or can
SYSTEMS IN THE GOVERNMENT AND THE be reasonably and directly ascertained by the entity
PRIVATE SECTOR, CREATING FOR THIS holding the information, or when put together with
PURPOSE A NATIONAL PRIVACY other information would directly and certainly
COMMISSION, AND FOR OTHER PURPOSES identify an individual.
Be it enacted, by the Senate and House of (h) Personal information controller refers to a person
Representatives of the Philippines in Congress or organization who controls the collection, holding,
assembled: processing or use of personal information, including
CHAPTER I a person or organization who instructs another person
GENERAL PROVISIONS or organization to collect, hold, process, use, transfer
or disclose personal information on his or her behalf.
SECTION 1. Short Title. This Act shall be known The term excludes:
as the Data Privacy Act of 2012. (1) A person or organization who performs such
functions as instructed by another person or
SEC. 2. Declaration of Policy. It is the policy of the organization; and
State to protect the fundamental human right of (2) An individual who collects, holds, processes or
privacy, of communication while ensuring free flow uses personal information in connection with the
of information to promote innovation and growth. individuals personal, family or household affairs.
The State recognizes the vital role of information and (i) Personal information processor refers to any
communications technology in nation-building and natural or juridical person qualified to act as such
its inherent obligation to ensure that personal under this Act to whom a personal information
information in information and communications controller may outsource the processing of personal
systems in the government and in the private sector data pertaining to a data subject.
are secured and protected. (j) Processing refers to any operation or any set of
operations performed upon personal information
SEC. 3. Definition of Terms. Whenever used in this including, but not limited to, the collection,
Act, the following terms shall have the respective recording, organization, storage, updating or
meanings hereafter set forth: modification, retrieval, consultation, use,
(a) Commission shall refer to the National Privacy consolidation, blocking, erasure or destruction of
Commission created by virtue of this Act. data.
(b) Consent of the data subject refers to any freely (k) Privileged information refers to any and all forms
given, specific, informed indication of will, whereby of data which under the Rules of Court and other
the data subject agrees to the collection and pertinent laws constitute privileged communication.
processing of personal information about and/or (l) Sensitive personal information refers to personal
relating to him or her. Consent shall be evidenced by information:
written, electronic or recorded means. It may also be (1) About an individuals race, ethnic origin, marital
given on behalf of the data subject by an agent status, age, color, and religious, philosophical or
specifically authorized by the data subject to do so. political affiliations;
(c) Data subject refers to an individual whose (2) About an individuals health, education, genetic or
personal information is processed. sexual life of a person, or to any proceeding for any
(d) Direct marketing refers to communication by offense committed or alleged to have been committed
whatever means of any advertising or marketing by such person, the disposal of such proceedings, or
material which is directed to particular individuals. the sentence of any court in such proceedings;
(e) Filing system refers to any act of information (3) Issued by government agencies peculiar to an
relating to natural or juridical persons to the extent individual which includes, but not limited to, social
that, although the information is not processed by security numbers, previous or cm-rent health records,
equipment operating automatically in response to licenses or its denials, suspension or revocation, and
instructions given for that purpose, the set is tax returns; and
structured, either by reference to individuals or by (4) Specifically established by an executive order or
reference to criteria relating to individuals, in such a an act of Congress to be kept classified.
way that specific information relating to a particular
person is readily accessible. SEC. 4. Scope. This Act applies to the processing of
(f) Information and Communications System refers to all types of personal information and to any natural
1 of 26
and juridical person involved in personal information Sources. Nothing in this Act shall be construed as to
processing including those personal information have amended or repealed the provisions of Republic
controllers and processors who, although not found or Act No. 53, which affords the publishers, editors or
established in the Philippines, use equipment that are duly accredited reporters of any newspaper, magazine
located in the Philippines, or those who maintain an or periodical of general circulation protection from
office, branch or agency in the Philippines subject to being compelled to reveal the source of any news
the immediately succeeding paragraph: Provided, report or information appearing in said publication
That the requirements of Section 5 are complied with. which was related in any confidence to such
This Act does not apply to the following: publisher, editor, or reporter.
(a) Information about any individual who is or was an
officer or employee of a government institution that SEC. 6. Extraterritorial Application. This Act
relates to the position or functions of the individual, applies to an act done or practice engaged in and
including: outside of the Philippines by an entity if:
(1) The fact that the individual is or was an officer or (a) The act, practice or processing relates to personal
employee of the government institution; information about a Philippine citizen or a resident;
(2) The title, business address and office telephone (b) The entity has a link with the Philippines, and the
number of the individual; entity is processing personal information in the
(3) The classification, salary range and Philippines or even if the processing is outside the
responsibilities of the position held by the individual; Philippines as long as it is about Philippine citizens
and or residents such as, but not limited to, the following:
(4) The name of the individual on a document (1) A contract is entered in the Philippines;
prepared by the individual in the course of (2) A juridical entity unincorporated in the
employment with the government; Philippines but has central management and control
(b) Information about an individual who is or was in the country; and
performing service under contract for a government (3) An entity that has a branch, agency, office or
institution that relates to the services performed, subsidiary in the Philippines and the parent or
including the terms of the contract, and the name of affiliate of the Philippine entity has access to personal
the individual given in the course of the performance information; and
of those services; (c) The entity has other links in the Philippines such
(c) Information relating to any discretionary benefit as, but not limited to:
of a financial nature such as the granting of a license (1) The entity carries on business in the Philippines;
or permit given by the government to an individual, and
including the name of the individual and the exact (2) The personal information was collected or held by
nature of the benefit; an entity in the Philippines.
(d) Personal information processed for journalistic,
artistic, literary or research purposes; CHAPTER II
(e) Information necessary in order to carry out the THE NATIONAL PRIVACY COMMISSION
functions of public authority which includes the
processing of personal data for the performance by SEC. 7. Functions of the National Privacy
the independent, central monetary authority and law Commission. To administer and implement the
enforcement and regulatory agencies of their provisions of this Act, and to monitor and ensure
constitutionally and statutorily mandated functions. compliance of the country with international
Nothing in this Act shall be construed as to have standards set for data protection, there is hereby
amended or repealed Republic Act No. 1405, created an independent body to be known as the
otherwise known as the Secrecy of Bank Deposits National Privacy Commission, winch shall have the
Act; Republic Act No. 6426, otherwise known as the following functions:
Foreign Currency Deposit Act; and Republic Act No. (a) Ensure compliance of personal information
9510, otherwise known as the Credit Information controllers with the provisions of this Act;
System Act (CISA); (b) Receive complaints, institute investigations,
(f) Information necessary for banks and other facilitate or enable settlement of complaints through
financial institutions under the jurisdiction of the the use of alternative dispute resolution processes,
independent, central monetary authority or Bangko adjudicate, award indemnity on matters affecting any
Sentral ng Pilipinas to comply with Republic Act No. personal information, prepare reports on disposition
9510, and Republic Act No. 9160, as amended, of complaints and resolution of any investigation it
otherwise known as the Anti-Money Laundering Act initiates, and, in cases it deems appropriate, publicize
and other applicable laws; and any such report: Provided, That in resolving any
(g) Personal information originally collected from complaint or investigation (except where amicable
residents of foreign jurisdictions in accordance with settlement is reached by the parties), the Commission
the laws of those foreign jurisdictions, including any shall act as a collegial body. For this purpose, the
applicable data privacy laws, which is being Commission may be given access to personal
processed in the Philippines. information that is subject of any complaint and to
collect the information necessary to perform its
SEC. 5. Protection Afforded to Journalists and Their functions under this Act;
2 of 26
(c) Issue cease and desist orders, impose a temporary (q) Generally perform such acts as may be necessary
or permanent ban on the processing of personal to facilitate cross-border enforcement of data privacy
information, upon finding that the processing will be protection.
detrimental to national security and public interest;
(d) Compel or petition any entity, government agency SEC. 8. Confidentiality. The Commission shall
or instrumentality to abide by its orders or take action ensure at all times the confidentiality of any personal
on a matter affecting data privacy; information that comes to its knowledge and
(e) Monitor the compliance of other government possession.
agencies or instrumentalities on their security and
technical measures and recommend the necessary SEC. 9. Organizational Structure of the Commission.
action in order to meet minimum standards for The Commission shall be attached to the
protection of personal information pursuant to this Department of Information and Communications
Act; Technology (DICT) and shall be headed by a Privacy
(f) Coordinate with other government agencies and Commissioner, who shall also act as Chairman of the
the private sector on efforts to formulate and Commission. The Privacy Commissioner shall be
implement plans and policies to strengthen the assisted by two (2) Deputy Privacy Commissioners,
protection of personal information in the country; one to be responsible for Data Processing Systems
(g) Publish on a regular basis a guide to all laws and one to be responsible for Policies and Planning.
relating to data protection; The Privacy Commissioner and the two (2) Deputy
(h) Publish a compilation of agency system of records Privacy Commissioners shall be appointed by the
and notices, including index and other finding aids; President of the Philippines for a term of three (3)
(i) Recommend to the Department of Justice (DOJ) years, and may be reappointed for another term of
the prosecution and imposition of penalties specified three (3) years. Vacancies in the Commission shall be
in Sections 25 to 29 of this Act; filled in the same manner in which the original
(j) Review, approve, reject or require modification of appointment was made.
privacy codes voluntarily adhered to by personal The Privacy Commissioner must be at least thirty-
information controllers:Provided, That the privacy five (35) years of age and of good moral character,
codes shall adhere to the underlying data privacy unquestionable integrity and known probity, and a
principles embodied in this Act: Provided, recognized expert in the field of information
further,That such privacy codes may include private technology and data privacy. The Privacy
dispute resolution mechanisms for complaints against Commissioner shall enjoy the benefits, privileges and
any participating personal information controller. For emoluments equivalent to the rank of Secretary.
this purpose, the Commission shall consult with The Deputy Privacy Commissioners must be
relevant regulatory agencies in the formulation and recognized experts in the field of information and
administration of privacy codes applying the communications technology and data privacy. They
standards set out in this Act, with respect to the shall enjoy the benefits, privileges and emoluments
persons, entities, business activities and business equivalent to the rank of Undersecretary.
sectors that said regulatory bodies are authorized to The Privacy Commissioner, the Deputy
principally regulate pursuant to the law: Provided, Commissioners, or any person acting on their behalf
finally. That the Commission may review such or under their direction, shall not be civilly liable for
privacy codes and require changes thereto for acts done in good faith in the performance of their
purposes of complying with this Act; duties. However, he or she shall be liable for willful
(k) Provide assistance on matters relating to privacy or negligent acts done by him or her which are
or data protection at the request of a national or local contrary to law, morals, public policy and good
agency, a private entity or any person; customs even if he or she acted under orders or
(l) Comment on the implication on data privacy of instructions of superiors: Provided, That in case a
proposed national or local statutes, regulations or lawsuit is filed against such official on the subject of
procedures, issue advisory opinions and interpret the the performance of his or her duties, where such
provisions of this Act and other data privacy laws; performance is lawful, he or she shall be reimbursed
(m) Propose legislation, amendments or by the Commission for reasonable costs of litigation.
modifications to Philippine laws on privacy or data
protection as may be necessary; SEC. 10. The Secretariat. The Commission is
(n) Ensure proper and effective coordination with hereby authorized to establish a Secretariat. Majority
data privacy regulators in other countries and private of the members of the Secretariat must have served
accountability agents, participate in international and for at least five (5) years in any agency of the
regional initiatives for data privacy protection; government that is involved in the processing of
(o) Negotiate and contract with other data privacy personal information including, but not limited to, the
authorities of other countries for cross-border following offices: Social Security System (SSS),
application and implementation of respective privacy Government Service Insurance System (GSIS), Land
laws; Transportation Office (LTO), Bureau of Internal
(p) Assist Philippine companies doing business Revenue (BIR), Philippine Health Insurance
abroad to respond to foreign privacy or data Corporation (PhilHealth), Commission on Elections
protection laws and regulations; and (COMELEC), Department of Foreign Affairs (DFA),
3 of 26
Department of Justice (DOJ), and Philippine Postal (e) The processing is necessary in order to respond to
Corporation (Philpost). national emergency, to comply with the requirements
of public order and safety, or to fulfill functions of
CHAPTER III public authority which necessarily includes the
PROCESSING OF PERSONAL INFORMATION processing of personal data for the fulfillment of its
mandate; or
SEC. 11. General Data Privacy Principles. The (f) The processing is necessary for the purposes of
processing of personal information shall be allowed, the legitimate interests pursued by the personal
subject to compliance with the requirements of this information controller or by a third party or parties to
Act and other laws allowing disclosure of whom the data is disclosed, except where such
information to the public and adherence to the interests are overridden by fundamental rights and
principles of transparency, legitimate purpose and freedoms of the data subject which require protection
proportionality. under the Philippine Constitution.
Personal information must, be:,
(a) Collected for specified and legitimate purposes SEC. 13. Sensitive Personal Information and
determined and declared before, or as soon as Privileged Information. The processing of sensitive
reasonably practicable after collection, and later personal information and privileged information shall
processed in a way compatible with such declared, be prohibited, except in the following cases:
specified and legitimate purposes only; (a) The data subject has given his or her consent,
(b) Processed fairly and lawfully; specific to the purpose prior to the processing, or in
(c) Accurate, relevant and, where necessary for the case of privileged information, all parties to the
purposes for which it is to be used the processing of exchange have given their consent prior to
personal information, kept up to date; inaccurate or processing;
incomplete data must be rectified, supplemented, (b) The processing of the same is provided for by
destroyed or their further processing restricted; existing laws and regulations: Provided, That such
(d) Adequate and not excessive in relation to the regulatory enactments guarantee the protection of the
purposes for which they are collected and processed; sensitive personal information and the privileged
(e) Retained only for as long as necessary for the information: Provided, further, That the consent of
fulfillment of the purposes for which the data was the data subjects are not required by law or regulation
obtained or for the establishment, exercise or defense permitting the processing of the sensitive personal
of legal claims, or for legitimate business purposes, information or the privileged information;
or as provided by law; and (c) The processing is necessary to protect the life and
(f) Kept in a form which permits identification of health of the data subject or another person, and the
data subjects for no longer than is necessary for the data subject is not legally or physically able to
purposes for which the data were collected and express his or her consent prior to the processing;
processed: Provided, That personal information (d) The processing is necessary to achieve the lawful
collected for other purposes may lie processed for and noncommercial objectives of public
historical, statistical or scientific purposes, and in organizations and their associations: Provided, That
cases laid down in law may be stored for longer such processing is only confined and related to the
periods: Provided, further,That adequate safeguards bona fide members of these organizations or their
are guaranteed by said laws authorizing their associations: Provided, further, That the sensitive
processing. personal information are not transferred to third
The personal information controller must ensure parties: Provided, finally, That consent of the data
implementation of personal information processing subject was obtained prior to processing;
principles set out herein. (e) The processing is necessary for purposes of
medical treatment, is carried out by a medical
SEC. 12. Criteria for Lawful Processing of Personal practitioner or a medical treatment institution, and an
Information. The processing of personal adequate level of protection of personal information
information shall be permitted only if not otherwise is ensured; or
prohibited by law, and when at least one of the (f) The processing concerns such personal
following conditions exists: information as is necessary for the protection of
(a) The data subject has given his or her consent; lawful rights and interests of natural or legal persons
(b) The processing of personal information is in court proceedings, or the establishment, exercise or
necessary and is related to the fulfillment of a defense of legal claims, or when provided to
contract with the data subject or in order to take steps government or public authority.
at the request of the data subject prior to entering into
a contract; SEC. 14. Subcontract of Personal Information. A
(c) The processing is necessary for compliance with a personal information controller may subcontract the
legal obligation to which the personal information processing of personal information: Provided, That
controller is subject; the personal information controller shall be
(d) The processing is necessary to protect vitally responsible for ensuring that proper safeguards are in
important interests of the data subject, including life place to ensure the confidentiality of the personal
and health; information processed, prevent its use for
4 of 26
unauthorized purposes, and generally, comply with obtained;
the requirements of this Act and other laws for (3) Names and addresses of recipients of the personal
processing of personal information. The personal information;
information processor shall comply with all the (4) Manner by which such data were processed;
requirements of this Act and other applicable laws. (5) Reasons for the disclosure of the personal
information to recipients;
SEC. 15. Extension of Privileged Communication. (6) Information on automated processes where the
Personal information controllers may invoke the data will or likely to be made as the sole basis for any
principle of privileged communication over decision significantly affecting or will affect the data
privileged information that they lawfully control or subject;
process. Subject to existing laws and regulations, any (7) Date when his or her personal information
evidence gathered on privileged information is concerning the data subject were last accessed and
inadmissible. modified; and
(8) The designation, or name or identity and address
CHAPTER IV of the personal information controller;
RIGHTS OF THE DATA SUBJECT (d) Dispute the inaccuracy or error in the personal
information and have the personal information
SEC. 16. Rights of the Data Subject. The data controller correct it immediately and accordingly,
subject is entitled to: unless the request is vexatious or otherwise
(a) Be informed whether personal information unreasonable. If the personal information have been
pertaining to him or her shall be, are being or have corrected, the personal information controller shall
been processed; ensure the accessibility of both the new and the
(b) Be furnished the information indicated hereunder retracted information and the simultaneous receipt of
before the entry of his or her personal information the new and the retracted information by recipients
into the processing system of the personal thereof: Provided, That the third parties who have
information controller, or at the next practical previously received such processed personal
opportunity: information shall he informed of its inaccuracy and
(1) Description of the personal information to be its rectification upon reasonable request of the data
entered into the system; subject;
(2) Purposes for which they are being or are to be (e) Suspend, withdraw or order the blocking, removal
processed; or destruction of his or her personal information from
(3) Scope and method of the personal information the personal information controllers filing system
processing; upon discovery and substantial proof that the
(4) The recipients or classes of recipients to whom personal information are incomplete, outdated, false,
they are or may be disclosed; unlawfully obtained, used for unauthorized purposes
(5) Methods utilized for automated access, if the or are no longer necessary for the purposes for which
same is allowed by the data subject, and the extent to they were collected. In this case, the personal
which such access is authorized; information controller may notify third parties who
(6) The identity and contact details of the personal have previously received such processed personal
information controller or its representative; information; and
(7) The period for which the information will be (f) Be indemnified for any damages sustained due to
stored; and such inaccurate, incomplete, outdated, false,
(8) The existence of their rights, i.e., to access, unlawfully obtained or unauthorized use of personal
correction, as well as the right to lodge a complaint information.
before the Commission.
Any information supplied or declaration made to the SEC. 17. Transmissibility of Rights of the Data
data subject on these matters shall not be amended Subject. The lawful heirs and assigns of the data
without prior notification of data subject: Provided, subject may invoke the rights of the data subject for,
That the notification under subsection (b) shall not which he or she is an heir or assignee at any time
apply should the personal information be needed after the death of the data subject or when the data
pursuant to a subpoena or when the collection and subject is incapacitated or incapable of exercising the
processing are for obvious purposes, including when rights as enumerated in the immediately preceding
it is necessary for the performance of or in relation to section.
a contract or service or when necessary or desirable
in the context of an employer-employee relationship, SEC. 18. Right to Data Portability. The data
between the collector and the data subject, or when subject shall have the right, where personal
the information is being collected and processed as a information is processed by electronic means and in a
result of legal obligation; structured and commonly used format, to obtain from
(c) Reasonable access to, upon demand, the the personal information controller a copy of data
following: undergoing processing in an electronic or structured
(1) Contents of his or her personal information that format, which is commonly used and allows for
were processed; further use by the data subject. The Commission may
(2) Sources from which personal information were specify the electronic format referred to above, as
5 of 26
well as the technical standards, modalities and and hold personal information under strict
procedures for their transfer. confidentiality if the personal information are not
SEC. 19. Non-Applicability. The immediately intended for public disclosure. This obligation shall
preceding sections are not applicable if the processed continue even after leaving the public service,
personal information are used only for the needs of transfer to another position or upon termination of
scientific and statistical research and, on the basis of employment or contractual relations.
such, no activities are carried out and no decisions are (f) The personal information controller shall promptly
taken regarding the data subject: Provided, That the notify the Commission and affected data subjects
personal information shall be held under strict when sensitive personal information or other
confidentiality and shall be used only for the declared information that may, under the circumstances, be
purpose. Likewise, the immediately preceding used to enable identity fraud are reasonably believed
sections are not applicable to processing of personal to have been acquired by an unauthorized person, and
information gathered for the purpose of investigations the personal information controller or the
in relation to any criminal, administrative or tax Commission believes (bat such unauthorized
liabilities of a data subject acquisition is likely to give rise to a real risk of
serious harm to any affected data subject. The
CHAPTER V notification shall at least describe the nature of the
SECURITY OF PERSONAL INFORMATION breach, the sensitive personal information possibly
involved, and the measures taken by the entity to
SEC. 20. Security of Personal Information. (a) The address the breach. Notification may be delayed only
personal information controller must implement to the extent necessary to determine the scope of the
reasonable and appropriate organizational, physical breach, to prevent further disclosures, or to restore
and technical measures intended for the protection of reasonable integrity to the information and
personal information against any accidental or communications system.
unlawful destruction, alteration and disclosure, as (1) In evaluating if notification is unwarranted, the
well as against any other unlawful processing. Commission may take into account compliance by
(b) The personal information controller shall the personal information controller with this section
implement reasonable and appropriate measures to and existence of good faith in the acquisition of
protect personal information against natural dangers personal information.
such as accidental loss or destruction, and human (2) The Commission may exempt a personal
dangers such as unlawful access, fraudulent misuse, information controller from notification where, in its
unlawful destruction, alteration and contamination. reasonable judgment, such notification would not be
(c) The determination of the appropriate level of in the public interest or in the interests of the affected
security under this section must take into account the data subjects.
nature of the personal information to be protected, the (3) The Commission may authorize postponement of
risks represented by the processing, the size of the notification where it may hinder the progress of a
organization and complexity of its operations, current criminal investigation related to a serious breach.
data privacy best practices and the cost of security
implementation. Subject to guidelines as the CHAPTER VI
Commission may issue from time to time, the ACCOUNTABILITY FOR TRANSFER OF
measures implemented must include: PERSONAL INFORMATION
(1) Safeguards to protect its computer network
against accidental, unlawful or unauthorized usage or SEC. 21. Principle of Accountability. Each personal
interference with or hindering of their functioning or information controller is responsible for personal
availability; information under its control or custody, including
(2) A security policy with respect to the processing of information that have been transferred to a third party
personal information; for processing, whether domestically or
(3) A process for identifying and accessing internationally, subject to cross-border arrangement
reasonably foreseeable vulnerabilities in its computer and cooperation.
networks, and for taking preventive, corrective and (a) The personal information controller is accountable
mitigating action against security incidents that can for complying with the requirements of this Act and
lead to a security breach; and shall use contractual or other reasonable means to
(4) Regular monitoring for security breaches and a provide a comparable level of protection while the
process for taking preventive, corrective and information are being processed by a third party.
mitigating action against security incidents that can (b) The personal information controller shall
lead to a security breach. designate an individual or individuals who are
(d) The personal information controller must further accountable for the organizations compliance with
ensure that third parties processing personal this Act. The identity of the individual(s) so
information on its behalf shall implement the security designated shall be made known to any data subject
measures required by this provision. upon request.
(e) The employees, agents or representatives of a
personal information controller who are involved in CHAPTER VII
the processing of personal information shall operate SECURITY OF SENSITIVE PERSONAL
6 of 26
INFORMATION IN GOVERNMENT same manner as agencies and government employees
comply with such requirements.
SEC. 22. Responsibility of Heads of Agencies. All
sensitive personal information maintained by the CHAPTER VIII
government, its agencies and instrumentalities shall PENALTIES
be secured, as far as practicable, with the use of the
most appropriate standard recognized by the SEC. 25. Unauthorized Processing of Personal
information and communications technology Information and Sensitive Personal Information. (a)
industry, and as recommended by the Commission. The unauthorized processing of personal information
The head of each government agency or shall be penalized by imprisonment ranging from one
instrumentality shall be responsible for complying (1) year to three (3) years and a fine of not less than
with the security requirements mentioned herein Five hundred thousand pesos (Php500,000.00) but
while the Commission shall monitor the compliance not more than Two million pesos (Php2,000,000.00)
and may recommend the necessary action in order to shall be imposed on persons who process personal
satisfy the minimum standards. information without the consent of the data subject,
or without being authorized under this Act or any
SEC. 23. Requirements Relating to Access by Agency existing law.
Personnel to Sensitive Personal Information. (a) (b) The unauthorized processing of personal sensitive
On-site and Online Access Except as may be information shall be penalized by imprisonment
allowed through guidelines to be issued by the ranging from three (3) years to six (6) years and a
Commission, no employee of the government shall fine of not less than Five hundred thousand pesos
have access to sensitive personal information on (Php500,000.00) but not more than Four million
government property or through online facilities pesos (Php4,000,000.00) shall be imposed on persons
unless the employee has received a security clearance who process personal information without the
from the head of the source agency. consent of the data subject, or without being
(b) Off-site Access Unless otherwise provided in authorized under this Act or any existing law.
guidelines to be issued by the Commission, sensitive
personal information maintained by an agency may SEC. 26. Accessing Personal Information and
not be transported or accessed from a location off Sensitive Personal Information Due to Negligence.
government property unless a request for such (a) Accessing personal information due to negligence
transportation or access is submitted and approved by shall be penalized by imprisonment ranging from one
the head of the agency in accordance with the (1) year to three (3) years and a fine of not less than
following guidelines: Five hundred thousand pesos (Php500,000.00) but
(1) Deadline for Approval or Disapproval In the not more than Two million pesos (Php2,000,000.00)
case of any request submitted to the head of an shall be imposed on persons who, due to negligence,
agency, such head of the agency shall approve or provided access to personal information without
disapprove the request within two (2) business days being authorized under this Act or any existing law.
after the date of submission of the request. In case (b) Accessing sensitive personal information due to
there is no action by the head of the agency, then such negligence shall be penalized by imprisonment
request is considered disapproved; ranging from three (3) years to six (6) years and a
(2) Limitation to One thousand (1,000) Records If a fine of not less than Five hundred thousand pesos
request is approved, the head of the agency shall limit (Php500,000.00) but not more than Four million
the access to not more than one thousand (1,000) pesos (Php4,000,000.00) shall be imposed on persons
records at a time; and who, due to negligence, provided access to personal
(3) Encryption Any technology used to store, information without being authorized under this Act
transport or access sensitive personal information for or any existing law.
purposes of off-site access approved under this SEC. 27. Improper Disposal of Personal Information
subsection shall be secured by the use of the most and Sensitive Personal Information. (a) The
secure encryption standard recognized by the improper disposal of personal information shall be
Commission. penalized by imprisonment ranging from six (6)
The requirements of this subsection shall be months to two (2) years and a fine of not less than
implemented not later than six (6) months after the One hundred thousand pesos (Php100,000.00) but not
date of the enactment of this Act. more than Five hundred thousand pesos
(Php500,000.00) shall be imposed on persons who
SEC. 24. Applicability to Government Contractors. knowingly or negligently dispose, discard or abandon
In entering into any contract that may involve the personal information of an individual in an area
accessing or requiring sensitive personal information accessible to the public or has otherwise placed the
from one thousand (1,000) or more individuals, an personal information of an individual in its container
agency shall require a contractor and its employees to for trash collection.
register their personal information processing system (b) The improper disposal of sensitive personal
with the Commission in accordance with this Act and information shall be penalized by imprisonment
to comply with the other provisions of this Act ranging from one (1) year to three (3) years and a fine
including the immediately preceding section, in the of not less than One hundred thousand pesos
7 of 26
(Php100,000.00) but not more than One million pesos Five hundred thousand pesos (Php500,000.00) but
(Php1,000,000.00) shall be imposed on persons who not more than One million pesos (Php1,000,000.00).
knowingly or negligently dispose, discard or abandon
the personal information of an individual in an area SEC. 32. Unauthorized Disclosure. (a) Any
accessible to the public or has otherwise placed the personal information controller or personal
personal information of an individual in its container information processor or any of its officials,
for trash collection. employees or agents, who discloses to a third party
personal information not covered by the immediately
SEC. 28. Processing of Personal Information and preceding section without the consent of the data
Sensitive Personal Information for Unauthorized subject, shall he subject to imprisonment ranging
Purposes. The processing of personal information from one (1) year to three (3) years and a fine of not
for unauthorized purposes shall be penalized by less than Five hundred thousand pesos
imprisonment ranging from one (1) year and six (6) (Php500,000.00) but not more than One million pesos
months to five (5) years and a fine of not less than (Php1,000,000.00).
Five hundred thousand pesos (Php500,000.00) but (b) Any personal information controller or personal
not more than One million pesos (Php1,000,000.00) information processor or any of its officials,
shall be imposed on persons processing personal employees or agents, who discloses to a third party
information for purposes not authorized by the data sensitive personal information not covered by the
subject, or otherwise authorized under this Act or immediately preceding section without the consent of
under existing laws. the data subject, shall be subject to imprisonment
The processing of sensitive personal information for ranging from three (3) years to five (5) years and a
unauthorized purposes shall be penalized by fine of not less than Five hundred thousand pesos
imprisonment ranging from two (2) years to seven (7) (Php500,000.00) but not more than Two million
years and a fine of not less than Five hundred pesos (Php2,000,000.00).
thousand pesos (Php500,000.00) but not more than
Two million pesos (Php2,000,000.00) shall be SEC. 33. Combination or Series of Acts. Any
imposed on persons processing sensitive personal combination or series of acts as defined in Sections
information for purposes not authorized by the data 25 to 32 shall make the person subject to
subject, or otherwise authorized under this Act or imprisonment ranging from three (3) years to six (6)
under existing laws. years and a fine of not less than One million pesos
(Php1,000,000.00) but not more than Five million
SEC. 29. Unauthorized Access or Intentional Breach. pesos (Php5,000,000.00).
The penalty of imprisonment ranging from one (1) SEC. 34. Extent of Liability. If the offender is a
year to three (3) years and a fine of not less than Five corporation, partnership or any juridical person, the
hundred thousand pesos (Php500,000.00) but not penalty shall be imposed upon the responsible
more than Two million pesos (Php2,000,000.00) shall officers, as the case may be, who participated in, or
be imposed on persons who knowingly and by their gross negligence, allowed the commission of
unlawfully, or violating data confidentiality and the crime. If the offender is a juridical person, the
security data systems, breaks in any way into any court may suspend or revoke any of its rights under
system where personal and sensitive personal this Act. If the offender is an alien, he or she shall, in
information is stored. addition to the penalties herein prescribed, be
deported without further proceedings after serving the
SEC. 30. Concealment of Security Breaches penalties prescribed. If the offender is a public
Involving Sensitive Personal Information. The official or employee and lie or she is found guilty of
penalty of imprisonment of one (1) year and six (6) acts penalized under Sections 27 and 28 of this Act,
months to five (5) years and a fine of not less than he or she shall, in addition to the penalties prescribed
Five hundred thousand pesos (Php500,000.00) but herein, suffer perpetual or temporary absolute
not more than One million pesos (Php1,000,000.00) disqualification from office, as the case may be.
shall be imposed on persons who, after having
knowledge of a security breach and of the obligation SEC. 35. Large-Scale. The maximum penalty in the
to notify the Commission pursuant to Section 20(f), scale of penalties respectively provided for the
intentionally or by omission conceals the fact of such preceding offenses shall be imposed when the
security breach. personal information of at least one hundred (100)
persons is harmed, affected or involved as the result
SEC. 31. Malicious Disclosure. Any personal of the above mentioned actions.
information controller or personal information
processor or any of its officials, employees or agents, SEC. 36. Offense Committed by Public Officer.
who, with malice or in bad faith, discloses When the offender or the person responsible for the
unwarranted or false information relative to any offense is a public officer as defined in the
personal information or personal sensitive Administrative Code of the Philippines in the
information obtained by him or her, shall be subject exercise of his or her duties, an accessory penalty
to imprisonment ranging from one (1) year and six consisting in the disqualification to occupy public
(6) months to five (5) years and a fine of not less than office for a term double the term of criminal penalty
8 of 26
imposed shall he applied. effect fifteen (15) days after its publication in at least
SEC. 37. Restitution. Restitution for any aggrieved two (2) national newspapers of general circulation.
party shall be governed by the provisions of the New
Civil Code. Approved,
CHAPTER IX (Sgd.) FELICIANO BELMONTE JR.
(Sgd.) JUAN PON
MISCELLANEOUS PROVISIONS Speaker of the House of Representatives
This Act which is a consolidation of Senate Bill No.
SEC. 38. Interpretation. Any doubt in the 2965 and House Bill No. 4115 was finally passed by
interpretation of any provision of this Act shall be the Senate and the House of Representatives on June
liberally interpreted in a manner mindful of the rights 6, 2012.
and interests of the individual about whom personal (Sgd.) MARILYN B. BARUA-YAP
information is processed. Secretary General House of (Sgd.) EMMA LIRIO
Representatives
SEC. 39. Implementing Rules and Regulations (IRR). Approved: AUG 15 2012
Within ninety (90) days from the effectivity of this (Sgd.) BENIGNO S. AQUINO III President of the Philippine
Act, the Commission shall promulgate the rules and
regulations to effectively implement the provisions of
this Act.

SEC. 40. Reports and Information. The


Commission shall annually report to the President
and Congress on its activities in carrying out the
provisions of this Act. The Commission shall
undertake whatever efforts it may determine to be
necessary or appropriate to inform and educate the
public of data privacy, data protection and fair
information rights and responsibilities.

SEC. 41. Appropriations Clause. The Commission


shall be provided with an initial appropriation of
Twenty million pesos (Php20,000,000.00) to be
drawn from the national government. Appropriations
for the succeeding years shall be included in the
General Appropriations Act. It shall likewise receive
Ten million pesos (Php10,000,000.00) per year for
five (5) years upon implementation of this Act drawn
from the national government.
SEC. 42. Transitory Provision. Existing industries,
businesses and offices affected by the implementation
of this Act shall be given one (1) year transitory
period from the effectivity of the IRR or such other
period as may be determined by the Commission, to
comply with the requirements of this Act.
In case that the DICT has not yet been created by the
time the law takes full force and effect, the National
Privacy Commission shall be attached to the Office
of the President.

SEC. 43. Separability Clause. If any provision or


part hereof is held invalid or unconstitutional, the
remainder of the law or the provision not otherwise
affected shall remain valid and subsisting.

SEC. 44. Repealing Clause. The provision of


Section 7 of Republic Act No. 9372, otherwise
known as the Human Security Act of 2007, is
hereby amended. Except as otherwise expressly
provided in this Act, all other laws, decrees,
executive orders, proclamations and administrative
regulations or parts thereof inconsistent herewith are
hereby repealed or modified accordingly.

SEC. 45. Effectivity Clause. This Act shall take


9 of 26
known as the Data Privacy Act of 2012;
b. Commission refers to the National Privacy
Commission;
c. Consent of the data subject refers to any freely
given, specific, informed indication of will, whereby
the data subject agrees to the collection and
processing of his or her personal, sensitive personal,
or privileged information. Consent shall be evidenced
by written, electronic or recorded means. It may also
be given on behalf of a data subject by a lawful
representative or an agent specifically authorized by
the data subject to do so;
d. Data subject refers to an individual whose
personal, sensitive personal, or privileged
information is processed;
e. Data processing systems refers to the structure
and procedure by which personal data is collected
and further processed in an information and
communications system or relevant filing system,
including the purpose and intended output of the
processing;
f. Data sharing is the disclosure or transfer to a
third party of personal data under the custody of a
personal information controller or personal
information processor. In the case of the latter, such
disclosure or transfer must have been upon the
instructions of the personal information controller
concerned. The term excludes outsourcing, or the
disclosure or transfer of personal data by a personal
information controller to a personal information
processor;
g. Direct marketing refers to communication by
whatever means of any advertising or marketing
material which is directed to particular individuals;
h. Filing system refers to any set of information
relating to natural or juridical persons to the extent
that, although the information is not processed by
equipment operating automatically in response to
instructions given for that purpose, the set is
Rule I. Preliminary Provisions structured, either by reference to individuals or by
reference to criteria relating to individuals, in such a
Section 1. Title. These rules and regulations shall be way that specific information relating to a particular
known as the Implementing Rules and Regulations individual is readily accessible;
of the Data Privacy Act of 2012, or the Rules. i. Information and communications system refers to
a system for generating, sending, receiving, storing,
Section 2. Policy. These Rules further enforce the or otherwise processing electronic data messages or
Data Privacy Act and adopt generally accepted electronic documents, and includes the computer
international principles and standards for personal system or other similar device by which data is
data protection. They safeguard the fundamental recorded, transmitted, or stored, and any procedure
human right of every individual to privacy while related to the recording, transmission, or storage of
ensuring free flow of information for innovation, electronic data, electronic message, or electronic
growth, and national development. These Rules also document;
recognize the vital role of information and j. Personal data refers to all types of personal
communications technology in nation-building and information;
enforce the States inherent obligation to ensure that k. Personal data breach refers to a breach of
personal data in information and communications security leading to the accidental or unlawful
systems in the government and in the private sector destruction, loss, alteration, unauthorized disclosure
are secured and protected. of, or access to, personal data transmitted, stored, or
otherwise processed;
Section 3. Definitions. Whenever used in these Rules, l. Personal information refers to any information,
the following terms shall have the respective whether recorded in a material form or not, from
meanings hereafter set forth: which the identity of an individual is apparent or can
a. Act refers to Republic Act No. 10173, also be reasonably and directly ascertained by the entity
10 of 26
holding the information, or when put together with 3. Issued by government agencies peculiar to an
other information would directly and certainly individual which includes, but is not limited to, social
identify an individual; security numbers, previous or current health records,
m. Personal information controller refers to a licenses or its denials, suspension or revocation, and
natural or juridical person, or any other body who tax returns; and
controls the processing of personal data, or instructs 4. Specifically established by an executive order or
another to process personal data on its behalf. The an act of Congress to be kept classified.
term excludes:
1. A natural or juridical person, or any other body,
who performs such functions as instructed by another Rule II. Scope of Application
person or organization; or
2. A natural person who processes personal data in Section 4. Scope. The Act and these Rules apply to
connection with his or her personal, family, or the processing of personal data by any natural and
household affairs; juridical person in the government or private sector.
There is control if the natural or juridical person or They apply to an act done or practice engaged in and
any other body decides on what information is outside of the Philippines if:
collected, or the purpose or extent of its processing; a. The natural or juridical person involved in the
n. Personal information processor refers to any processing of personal data is found or established in
natural or juridical person or any other body to whom the Philippines;
a personal information controller may outsource or b. The act, practice or processing relates to personal
instruct the processing of personal data pertaining to data about a Philippine citizen or Philippine resident;
a data subject; c. The processing of personal data is being done in
o. Processing refers to any operation or any set of the Philippines; or
operations performed upon personal data including, d. The act, practice or processing of personal data is
but not limited to, the collection, recording, done or engaged in by an entity with links to the
organization, storage, updating or modification, Philippines, with due consideration to international
retrieval, consultation, use, consolidation, blocking, law and comity, such as, but not limited to, the
erasure or destruction of data. Processing may be following:
performed through automated means, or manual 1. Use of equipment located in the country, or
processing, if the personal data are contained or are maintains an office, branch or agency in the
intended to be contained in a filing system; Philippines for processing of personal data;
p. Profiling refers to any form of automated 2. A contract is entered in the Philippines;
processing of personal data consisting of the use of 3. A juridical entity unincorporated in the Philippines
personal data to evaluate certain personal aspects but has central management and control in the
relating to a natural person, in particular to analyze or country;
predict aspects concerning that natural persons 4. An entity that has a branch, agency, office or
performance at work, economic situation, health, subsidiary in the Philippines and the parent or
personal preferences, interests, reliability, behavior, affiliate of the Philippine entity has access to personal
location or movements; data;
q. Privileged information refers to any and all 5. An entity that carries on business in the
forms of data, which, under the Rules of Court and Philippines;
other pertinent laws constitute privileged 6. An entity that collects or holds personal data in the
communication; Philippines.
r. Public authority refers to any government entity
created by the Constitution or law, and vested with Section 5. Special Cases. The Act and these Rules
law enforcement or regulatory authority and shall not apply to the following specified
functions; information, only to the minimum extent of
s. Security incident is an event or occurrence that collection, access, use, disclosure or other processing
affects or tends to affect data protection, or may necessary to the purpose, function, or activity
compromise the availability, integrity and concerned:
confidentiality of personal data. It includes incidents a. Information processed for purpose of allowing
that would result to a personal data breach, if not for public access to information that fall within matters
safeguards that have been put in place; of public concern, pertaining to:
t. Sensitive personal information refers to personal 1. Information about any individual who is or was an
information: officer or employee of government that relates to his
1. About an individuals race, ethnic origin, marital or her position or functions, including:
status, age, color, and religious, philosophical or (a) The fact that the individual is or was an officer or
political affiliations; employee of the government;
2. About an individuals health, education, genetic or (b) The title, office address, and office telephone
sexual life of a person, or to any proceeding for any number of the individual;
offense committed or alleged to have been committed (c) The classification, salary range, and
by such individual, the disposal of such proceedings, responsibilities of the position held by the individual;
or the sentence of any court in such proceedings; and
11 of 26
(d) The name of the individual on a document he or specific purpose, function, or activity.Section 6.
she prepared in the course of his or her employment Protection afforded to Data Subjects.
with the government; a. Unless directly incompatible or inconsistent with
2. Information about an individual who is or was the preceding sections in relation to the purpose,
performing a service under contract for a government function, or activities the non-applicability concerns,
institution, but only in so far as it relates to such the personal information controller or personal
service, including the the name of the individual and information processor shall uphold the rights of data
the terms of his or her contract; subjects, and adhere to general data privacy
3. Information relating to a benefit of a financial principles and the requirements of lawful processing.
nature conferred on an individual upon the discretion b. The burden of proving that the Act and these Rules
of the government, such as the granting of a license are not applicable to a particular information falls on
or permit, including the name of the individual and those involved in the processing of personal data or
the exact nature of the benefit: Provided, that they do the party claiming the non-applicability.
not include benefits given in the course of an c. In all cases, the determination of any exemption
ordinary transaction or as a matter of right; shall be liberally interpreted in favor of the rights and
b. Personal information processed for journalistic, interests of the data subject.
artistic or literary purpose, in order to uphold
freedom of speech, of expression, or of the press, Section 7. Protection Afforded to Journalists and
subject to requirements of other applicable law or their Sources.
regulations; a. Publishers, editors, or duly accredited reporters of
c. Personal information that will be processed for any newspaper, magazine or periodical of general
research purpose, intended for a public benefit, circulation shall not be compelled to reveal the source
subject to the requirements of applicable laws, of any news report or information appearing in said
regulations, or ethical standards; publication if it was related in any confidence to such
d. Information necessary in order to carry out the publisher, editor, or reporter.
functions of public authority, in accordance with a b. Publishers, editors, or duly accredited reporters
constitutionally or statutorily mandated function who are likewise personal information controllers or
pertaining to law enforcement or regulatory function, personal information processors within the meaning
including the performance of the functions of the of the law are still bound to follow the Data Privacy
independent, central monetary authority, subject to Act and related issuances with regard to the
restrictions provided by law. Nothing in this Act shall processing of personal data, upholding rights of their
be construed as having amended or repealed Republic data subjects and maintaining compliance with other
Act No. 1405, otherwise known as the Secrecy of provisions that are not incompatible with the
Bank Deposits Act; Republic Act No. 6426, protection provided by Republic Act No. 53.
otherwise known as the Foreign Currency Deposit
Act; and Republic Act No. 9510, otherwise known as Rule III. National Privacy Commission
the Credit Information System Act (CISA);
e. Information necessary for banks, other financial Section 8. Mandate. The National Privacy
institutions under the jurisdiction of the independent, Commission is an independent body mandated to
central monetary authority or Bangko Sentral ng administer and implement the Act, and to monitor
Pilipinas, and other bodies authorized by law, to the and ensure compliance of the country with
extent necessary to comply with Republic Act No. international standards set for personal data
9510 (CISA), Republic Act No. 9160, as amended, protection.
otherwise known as the Anti-Money Laundering Act, Section 9. Functions. The National Privacy
and other applicable laws; Commission shall have the following functions:
f. Personal information originally collected from a. Rule Making. The Commission shall develop,
residents of foreign jurisdictions in accordance with promulgate, review or amend rules and regulations
the laws of those foreign jurisdictions, including any for the effective implementation of the Act. This
applicable data privacy laws, which is being includes:
processed in the Philippines. The burden of proving 1. Recommending organizational, physical and
the law of the foreign jurisdiction falls on the person technical security measures for personal data
or body seeking exemption. In the absence of proof, protection, encryption, and access to sensitive
the applicable law shall be presumed to be the Act personal information maintained by government
and these Rules: agencies, considering the most appropriate standard
Provided, that the non-applicability of the Act or recognized by the information and communications
these Rules do not extend to personal information technology industry, as may be necessary;
controllers or personal information processors, who 2. Specifying electronic format and technical
remain subject to the requirements of implementing standards, modalities and procedures for data
security measures for personal data protection: portability, as may be necessary;
Provided further, that the processing of the 3. Issuing guidelines for organizational, physical, and
information provided in the preceding paragraphs technical security measures for personal data
shall be exempted from the requirements of the Act protection, taking into account the nature of the
only to the minimum extent necessary to achieve the personal data to be protected, the risks presented by
12 of 26
the processing, the size of the organization and 2. Monitoring the compliance of all government
complexity of its operations, current data privacy best agencies or instrumentalities as regards their security
practices, cost of security implementation, and the and technical measures, and recommending the
most appropriate standard recognized by the necessary action in order to meet minimum standards
information and communications technology for protection of personal data pursuant to the Act;
industry, as may be necessary; 3. Negotiating and contracting with other data
4. Consulting with relevant regulatory agencies in the privacy authorities of other countries for cross-border
formulation, review, amendment, and administration application and implementation of respective privacy
of privacy codes, applying the standards set out in the laws;
Act, with respect to the persons, entities, business 4. Generally performing such acts as may be
activities, and business sectors that said regulatory necessary to facilitate cross-border enforcement of
bodies are authorized to principally regulate pursuant data privacy protection;
to law; 5. Managing the registration of personal data
5. Proposing legislation, amendments or processing systems in the country, including the
modifications to Philippine laws on privacy or data personal data processing system of contractors and
protection, as may be necessary; their employees entering into contracts with
6. Ensuring proper and effective coordination with government agencies that involves accessing or
data privacy regulators in other countries and private requiring sensitive personal information of at least
accountability agents; one thousand (1,000) individuals.
7. Participating in international and regional e. Complaints and Investigations. The Commission
initiatives for data privacy protection. shall adjudicate on complaints and investigations on
b. Advisory. The Commission shall be the advisory matters affecting personal data: Provided, that In
body on matters affecting protection of personal data. resolving any complaint or investigation, except
This includes: where amicable settlement is reached by the parties,
1. Commenting on the implication on data privacy of the Commission shall act as a collegial body. This
proposed national or local statutes, regulations or includes:
procedures, issuing advisory opinions, and 1. Receiving complaints and instituting investigations
interpreting the provisions of the Act and other data regarding violations of the Act, these Rules, and other
privacy laws; issuances of the Commission, including violations of
2. Reviewing, approving, rejecting, or requiring the rights of data subjects and other matters affecting
modification of privacy codes voluntarily adhered to personal data;
by personal information controllers, which may 2. Summoning witnesses, and requiring the
include private dispute resolution mechanisms for production of evidence by a subpoena duces tecum
complaints against any participating personal for the purpose of collecting the information
information controller, and which adhere to the necessary to perform its functions under the Act:
underlying data privacy principles embodied in the Provided, that the Commission may be given access
Act and these Rules; to personal data that is subject of any complaint;
3. Providing assistance on matters relating to privacy 3. Facilitating or enabling settlement of complaints
or data protection at the request of a national or local through the use of alternative dispute resolution
agency, a private entity or any person, including the processes, and adjudicating on matters affecting any
enforcement of rights of data subjects; personal data;
4. Assisting Philippine companies doing business 4. Preparing reports on the disposition of complaints
abroad to respond to data protection laws and and the resolution of any investigation it initiates,
regulations. and, in cases it deems appropriate, publicizing such
c. Public Education. The Commission shall undertake reports;
necessary or appropriate efforts to inform and educate f. Enforcement. The Commission shall perform all
the public of data privacy, data protection, and fair acts as may be necessary to effectively implement the
information rights and responsibilities. This includes: Act, these Rules, and its other issuances, and to
1. Publishing, on a regular basis, a guide to all laws enforce its Orders, Resolutions or Decisions,
relating to data protection; including the imposition of administrative sanctions,
2. Publishing a compilation of agency system of fines, or penalties. This includes:
records and notices, including index and other finding 1. Issuing compliance or enforcement orders;
aids; 2. Awarding indemnity on matters affecting any
3. Coordinating with other government agencies and personal data, or rights of data subjects;
the private sector on efforts to formulate and 3. Issuing cease and desist orders, or imposing a
implement plans and policies to strengthen the temporary or permanent ban on the processing of
protection of personal data in the country; personal data, upon finding that the processing will
d. Compliance and Monitoring. The Commission be detrimental to national security or public interest,
shall perform compliance and monitoring functions to or if it is necessary to preserve and protect the rights
ensure effective implementation of the Act, these of data subjects;
Rules, and other issuances. This includes: 4. Recommending to the Department of Justice
1. Ensuring compliance by personal information (DOJ) the prosecution of crimes and imposition of
controllers with the provisions of the Act; penalties specified in the Act;
13 of 26
5. Compelling or petitioning any entity, government The Deputy Privacy Commissioners must be
agency, or instrumentality, to abide by its orders or recognized experts in the field of information and
take action on a matter affecting data privacy; communications technology and data privacy. They
6. Imposing administrative fines for violations of the shall enjoy the benefits, privileges, and emoluments
Act, these Rules, and other issuances of the equivalent to the rank of Undersecretary.
Commission.
g. Other functions. The Commission shall exercise Section 14. Secretariat. The Commission is
such other functions as may be necessary to fulfill its authorized to establish a Secretariat, which shall
mandate under the Act. assist in the performance of its functions. The
Secretariat shall be headed by an Executive Director
Section 10. Administrative Issuances. The and shall be organized according to the following
Commission shall publish or issue official directives offices:
and administrative issuances, orders, and circulars, a. Data Security and Compliance Office;
which include: b. Legal and Enforcement Office;
a. Rules of procedure in the exercise of its quasi- c. Finance and Administrative Office;
judicial functions, subject to the suppletory d. Privacy Policy Office;
application of the Rules of Court; e. Public Information and Assistance Office.
b. Schedule of administrative fines and penalties for Majority of the members of the Secretariat, in so far
violations of the Act, these Rules, and issuances or as practicable, must have served for at least five (5)
Orders of the Commission, including the applicable years in any agency of the government that is
fees for its administrative services and filing fees; involved in the processing of personal data including,
c. Procedure for registration of data processing but not limited to, the following offices: Social
systems, and notification; Security System (SSS), Government Service
d. Other administrative issuances consistent with its Insurance System (GSIS), Land Transportation Office
mandate and other functions. (LTO), Bureau of Internal Revenue (BIR), Philippine
Health Insurance Corporation (PhilHealth),
Section 11. Reports and Information. The Commission on Elections (COMELEC), Department
Commission shall report annually to the President of Foreign Affairs (DFA), Department of Justice
and Congress regarding its activities in carrying out (DOJ), and Philippine Postal Corporation (Philpost).
the provisions of the Act, these Rules, and its other The organizational structure shall be subject to
issuances. It shall undertake all efforts it deems review and modification by the Commission,
necessary or appropriate to inform and educate the including the creation of new divisions and units it
public of data privacy, data protection, and fair may deem necessary, and shall appoint officers and
information rights and responsibilities. employees of the Commission in accordance with
civil service law, rules, and regulations.
Section 12. Confidentiality of Personal Data.
Members, employees, and consultants of the Section 15. Effect of Lawful Performance of Duty.
Commission shall ensure at all times the The Privacy Commissioner, the Deputy
confidentiality of any personal data that come to their Commissioners, or any person acting on their behalf
knowledge and possession: Provided, that such duty or under their direction, shall not be civilly liable for
of confidentiality shall remain even after their term, acts done in good faith in the performance of their
employment, or contract has ended. duties: Provided, that they shall be liable for willful
Section 13. Organizational Structure. The or negligent acts, which are contrary to law, morals,
Commission is attached to the Department of public policy, and good customs, even if they acted
Information and Communications Technology for under orders or instructions of superiors: Provided
policy and program coordination in accordance with further, that in case a lawsuit is filed against them in
Section 38(3) of Executive Order No. 292, series of relation to the performance of their duties, where
1987, also known as the Administrative Code of such performance is lawful, he or she shall be
1987. The Commission shall remain completely reimbursed by the Commission for reasonable costs
independent in the performance of its functions. of litigation.
The Commission shall be headed by a Privacy Section 16. Magna Carta for Science and Technology
Commissioner, who shall act as Chairman of the Personnel. Qualified employees of the Commission
Commission. The Privacy Commissioner must be at shall be covered by Republic Act No. 8349, which
least thirty-five (35) years of age and of good moral provides a magna carta for scientists, engineers,
character, unquestionable integrity and known researchers, and other science and technology
probity, and a recognized expert in the field of personnel in the government.
information technology and data privacy. The Privacy
Commissioner shall enjoy the benefits, privileges,
and emoluments equivalent to the rank of Secretary. Rule IV. Data Privacy Principles
The Privacy Commissioner shall be assisted by two
(2) Deputy Privacy Commissioners. One shall be Section 17. General Data Privacy Principles. The
responsible for Data Processing Systems, while the processing of personal data shall be allowed, subject
other shall be responsible for Policies and Planning. to compliance with the requirements of the Act and
14 of 26
other laws allowing disclosure of information to the declared, specified, and legitimate purpose.
public, and adherence to the principles of 4. Processed personal data should be adequate,
transparency, legitimate purpose, and proportionality. relevant, and limited to what is necessary in relation
to the purposes for which they are processed.
Section 18. Principles of Transparency, Legitimate 5. Processing shall be undertaken in a manner that
Purpose and Proportionality. The processing of ensures appropriate privacy and security safeguards.
personal data shall be allowed subject to adherence to c. Processing should ensure data quality.
the principles of transparency, legitimate purpose, 1. Personal data should be accurate and where
and proportionality. necessary for declared, specified and legitimate
a. Transparency. The data subject must be aware of purpose, kept up to date.
the nature, purpose, and extent of the processing of 2. Inaccurate or incomplete data must be rectified,
his or her personal data, including the risks and supplemented, destroyed or their further processing
safeguards involved, the identity of personal restricted.
information controller, his or her rights as a data d. Personal Data shall not be retained longer than
subject, and how these can be exercised. Any necessary.
information and communication relating to the 1. Retention of personal data shall only for as long as
processing of personal data should be easy to access necessary:
and understand, using clear and plain language. (a) for the fulfillment of the declared, specified, and
b. Legitimate purpose. The processing of information legitimate purpose, or when the processing relevant
shall be compatible with a declared and specified to the purpose has been terminated;
purpose which must not be contrary to law, morals, or (b) for the establishment, exercise or defense of legal
public policy. claims; or
c. Proportionality. The processing of information (c) for legitimate business purposes, which must be
shall be adequate, relevant, suitable, necessary, and consistent with standards followed by the applicable
not excessive in relation to a declared and specified industry or approved by appropriate government
purpose. Personal data shall be processed only if the agency.
purpose of the processing could not reasonably be 2. Retention of personal data shall be allowed in
fulfilled by other means. cases provided by law.
Section 19. General principles in collection, 3. Personal data shall be disposed or discarded in a
processing and retention. The processing of personal secure manner that would prevent further processing,
data shall adhere to the following general principles unauthorized access, or disclosure to any other party
in the collection, processing, and retention of or the public, or prejudice the interests of the data
personal data: subjects.
a. Collection must be for a declared, specified, and e. Any authorized further processing shall have
legitimate purpose. adequate safeguards.
1. Consent is required prior to the collection and 1. Personal data originally collected for a declared,
processing of personal data, subject to exemptions specified, or legitimate purpose may be processed
provided by the Act and other applicable laws and further for historical, statistical, or scientific
regulations. When consent is required, it must be purposes, and, in cases laid down in law, may be
time-bound in relation to the declared, specified and stored for longer periods, subject to implementation
legitimate purpose. Consent given may be withdrawn. of the appropriate organizational, physical, and
2. The data subject must be provided specific technical security measures required by the Act in
information regarding the purpose and extent of order to safeguard the rights and freedoms of the data
processing, including, where applicable, the subject.
automated processing of his or her personal data for 2. Personal data which is aggregated or kept in a form
profiling, or processing for direct marketing, and data which does not permit identification of data subjects
sharing. may be kept longer than necessary for the declared,
3. Purpose should be determined and declared before, specified, and legitimate purpose.
or as soon as reasonably practicable, after collection. 3. Personal data shall not be retained in perpetuity in
4. Only personal data that is necessary and contemplation of a possible future use yet to be
compatible with declared, specified, and legitimate determined.
purpose shall be collected.
b. Personal data shall be processed fairly and Section 20. General Principles for Data Sharing.
lawfully. Further Processing of Personal Data collected from a
1. Processing shall uphold the rights of the data party other than the Data Subject shall be allowed
subject, including the right to refuse, withdraw under any of the following conditions:
consent, or object. It shall likewise be transparent, a. Data sharing shall be allowed when it is expressly
and allow the data subject sufficient information to authorized by law: Provided, that there are adequate
know the nature and extent of processing. safeguards for data privacy and security, and
2. Information provided to a data subject must always processing adheres to principle of transparency,
be in clear and plain language to ensure that they are legitimate purpose and proportionality.
easy to understand and access. b. Data Sharing shall be allowed in the private sector
3. Processing must be in a manner compatible with if the data subject consents to data sharing, and the
15 of 26
following conditions are complied with: reasonable;
1. Consent for data sharing shall be required even b. The processing involves the personal information
when the data is to be shared with an affiliate or of a data subject who is a party to a contractual
mother company, or similar relationships; agreement, in order to fulfill obligations under the
2. Data sharing for commercial purposes, including contract or to take steps at the request of the data
direct marketing, shall be covered by a data sharing subject prior to entering the said agreement;
agreement. c. The processing is necessary for compliance with a
(a) The data sharing agreement shall establish legal obligation to which the personal information
adequate safeguards for data privacy and security, controller is subject;
and uphold rights of data subjects. d. The processing is necessary to protect vitally
(b) The data sharing agreement shall be subject to important interests of the data subject, including his
review by the Commission, on its own initiative or or her life and health;
upon complaint of data subject; e. The processing of personal information is
3. The data subject shall be provided with the necessary to respond to national emergency or to
following information prior to collection or before comply with the requirements of public order and
data is shared: safety, as prescribed by law;
(a) Identity of the personal information controllers or f. The processing of personal information is
personal information processors that will be given necessary for the fulfillment of the constitutional or
access to the personal data; statutory mandate of a public authority; or
(b) Purpose of data sharing; g. The processing is necessary to pursue the
(c) Categories of personal data concerned; legitimate interests of the personal information
(d) Intended recipients or categories of recipients of controller, or by a third party or parties to whom the
the personal data; data is disclosed, except where such interests are
(e) Existence of the rights of data subjects, including overridden by fundamental rights and freedoms of the
the right to access and correction, and the right to data subject, which require protection under the
object; Philippine Constitution.
(f) Other information that would sufficiently notify
the data subject of the nature and extent of data Section 22. Sensitive Personal Information and
sharing and the manner of processing. Privileged Information. The processing of sensitive
4. Further processing of shared data shall adhere to personal and privileged information is prohibited,
the data privacy principles laid down in the Act, these except in any of the following cases:
Rules, and other issuances of the Commission. a. Consent is given by data subject, or by the parties
c. Data collected from parties other than the data to the exchange of privileged information, prior to the
subject for purpose of research shall be allowed when processing of the sensitive personal information or
the personal data is publicly available, or has the privileged information, which shall be undertaken
consent of the data subject for purpose of research: pursuant to a declared, specified, and legitimate
Provided, that adequate safeguards are in place, and purpose;
no decision directly affecting the data subject shall be b. The processing of the sensitive personal
made on the basis of the data collected or processed. information or privileged information is provided for
The rights of the data subject shall be upheld without by existing laws and regulations: Provided, that said
compromising research integrity. laws and regulations do not require the consent of the
d. Data sharing between government agencies for the data subject for the processing, and guarantee the
purpose of a public function or provision of a public protection of personal data;
service shall be covered a data sharing agreement. c. The processing is necessary to protect the life and
1. Any or all government agencies party to the health of the data subject or another person, and the
agreement shall comply with the Act, these Rules, data subject is not legally or physically able to
and all other issuances of the Commission, including express his or her consent prior to the processing;
putting in place adequate safeguards for data privacy d. The processing is necessary to achieve the lawful
and security. and noncommercial objectives of public
2. The data sharing agreement shall be subject to organizations and their associations provided that:
review of the Commission, on its own initiative or 1. Processing is confined and related to the bona fide
upon complaint of data subject. members of these organizations or their associations;
2. The sensitive personal information are not
transferred to third parties; and
Rule V. Lawful Processing of Personal Data 3. Consent of the data subject was obtained prior to
processing;
Section 21. Criteria for Lawful Processing of e. The processing is necessary for the purpose of
Personal Information. Processing of personal medical treatment: Provided, that it is carried out by a
information is allowed, unless prohibited by law. For medical practitioner or a medical treatment
processing to be lawful, any of the following institution, and an adequate level of protection of
conditions must be complied with: personal data is ensured; or
a. The data subject must have given his or her consent f. The processing concerns sensitive personal
prior to the collection, or as soon as practicable and information or privileged information necessary for
16 of 26
the protection of lawful rights and interests of natural contamination.
or legal persons in court proceedings, or the
establishment, exercise, or defense of legal claims, or Section 26. Organizational Security Measures. Where
when provided to government or public authority appropriate, personal information controllers and
pursuant to a constitutional or statutory mandate. personal information processors shall comply with
the following guidelines for organizational security:
Section 23. Extension of Privileged Communication. a. Compliance Officers. Any natural or juridical
Personal information controllers may invoke the person or other body involved in the processing of
principle of privileged communication over personal data shall designate an individual or
privileged information that they lawfully control or individuals who shall function as data protection
process. Subject to existing laws and regulations, any officer, compliance officer or otherwise be
evidence gathered from privileged information is accountable for ensuring compliance with applicable
inadmissible. laws and regulations for the protection of data
When the Commission inquires upon communication privacy and security.
claimed to be privileged, the personal information b. Data Protection Policies. Any natural or juridical
controller concerned shall prove the nature of the person or other body involved in the processing of
communication in an executive session. Should the personal data shall implement appropriate data
communication be determined as privileged, it shall protection policies that provide for organization,
be excluded from evidence, and the contents thereof physical, and technical security measures, and, for
shall not form part of the records of the case: such purpose, take into account the nature, scope,
Provided, that where the privileged communication context and purposes of the processing, as well as the
itself is the subject of a breach, or a privacy concern risks posed to the rights and freedoms of data
or investigation, it may be disclosed to the subjects.
Commission but only to the extent necessary for the 1. The policies shall implement data protection
purpose of investigation, without including the principles both at the time of the determination of the
contents thereof in the records. means for processing and at the time of the
processing itself.
Section 24. Surveillance of Suspects and Interception 2. The policies shall implement appropriate security
of Recording of Communications. Section 7 of measures that, by default, ensure only personal data
Republic Act No. 9372, otherwise known as the which is necessary for the specified purpose of the
Human Security Act of 2007, is hereby amended to processing are processed. They shall determine the
include the condition that the processing of personal amount of personal data collected, including the
data for the purpose of surveillance, interception, or extent of processing involved, the period of their
recording of communications shall comply with the storage, and their accessibility.
Data Privacy Act, including adherence to the 3. The polices shall provide for documentation,
principles of transparency, proportionality, and regular review, evaluation, and updating of the
legitimate purpose. privacy and security policies and practices.
c. Records of Processing Activities. Any natural or
juridical person or other body involved in the
Rule VI. Security Measures for the Protection of processing of personal data shall maintain records
Personal Data that sufficiently describe its data processing system,
and identify the duties and responsibilities of those
Section 25. Data Privacy and Security. Personal individuals who will have access to personal data.
information controllers and personal information Records should include:
processors shall implement reasonable and 1. Information about the purpose of the processing of
appropriate organizational, physical, and technical personal data, including any intended future
security measures for the protection of personal data. processing or data sharing;
The personal information controller and personal 2. A description of all categories of data subjects,
information processor shall take steps to ensure that personal data, and recipients of such personal data
any natural person acting under their authority and that will be involved in the processing;
who has access to personal data, does not process 3. General information about the data flow within the
them except upon their instructions, or as required by organization, from the time of collection, processing,
law. and retention, including the time limits for disposal or
The security measures shall aim to maintain the erasure of personal data;
availability, integrity, and confidentiality of personal 4. A general description of the organizational,
data and are intended for the protection of personal physical, and technical security measures in place;
data against any accidental or unlawful destruction, 5. The name and contact details of the personal
alteration, and disclosure, as well as against any other information controller and, where applicable, the
unlawful processing. These measures shall be joint controller, the its representative, and the
implemented to protect personal data against natural compliance officer or Data Protection Officer, or any
dangers such as accidental loss or destruction, and other individual or individuals accountable for
human dangers such as unlawful access, fraudulent ensuring compliance with the applicable laws and
misuse, unlawful destruction, alteration and regulations for the protection of data privacy and
17 of 26
security. individuals actually performing official duties shall
d. Management of Human Resources. Any natural or be in the room or work station, at any given time;
juridical person or other entity involved in the d. Any natural or juridical person or other body
processing of personal data shall be responsible for involved in the processing of personal data shall
selecting and supervising its employees, agents, or implement Policies and procedures regarding the
representatives, particularly those who will have transfer, removal, disposal, and re-use of electronic
access to personal data. media, to ensure appropriate protection of personal
The said employees, agents, or representatives shall data;
operate and hold personal data under strict e. Policies and procedures that prevent the
confidentiality if the personal data are not intended mechanical destruction of files and equipment shall
for public disclosure. This obligation shall continue be established. The room and workstation used in the
even after leaving the public service, transferring to processing of personal data shall, as far as
another position, or upon terminating their practicable, be secured against natural disasters,
employment or contractual relations. There shall be power disturbances, external access, and other similar
capacity building, orientation or training programs threats.
for such employees, agents or representatives,
regarding privacy or security policies. Section 28. Guidelines for Technical Security
e. Processing of Personal Data. Any natural or Measures. Where appropriate, personal information
juridical person or other body involved in the controllers and personal information processors shall
processing of personal data shall develop, implement adopt and establish the following technical security
and review: measures:
1. A procedure for the collection of personal data, a. A security policy with respect to the processing of
including procedures for obtaining consent, when personal data;
applicable; b. Safeguards to protect their computer network
2. Procedures that limit the processing of data, to against accidental, unlawful or unauthorized usage,
ensure that it is only to the extent necessary for the any interference which will affect data integrity or
declared, specified, and legitimate purpose; hinder the functioning or availability of the system,
3. Policies for access management, system and unauthorized access through an electronic
monitoring, and protocols to follow during security network;
incidents or technical problems; c. The ability to ensure and maintain the
4. Policies and procedures for data subjects to confidentiality, integrity, availability, and resilience
exercise their rights under the Act; of their processing systems and services;
5. Data retention schedule, including timeline or d. Regular monitoring for security breaches, and a
conditions for erasure or disposal of records. process both for identifying and accessing reasonably
f. Contracts with Personal Information Processors. foreseeable vulnerabilities in their computer
The personal information controller, through networks, and for taking preventive, corrective, and
appropriate contractual agreements, shall ensure that mitigating action against security incidents that can
its personal information processors, where applicable, lead to a personal data breach;
shall also implement the security measures required e. The ability to restore the availability and access to
by the Act and these Rules. It shall only engage those personal data in a timely manner in the event of a
personal information processors that provide physical or technical incident;
sufficient guarantees to implement appropriate f. A process for regularly testing, assessing, and
security measures specified in the Act and these evaluating the effectiveness of security measures;
Rules, and ensure the protection of the rights of the g. Encryption of personal data during storage and
data subject. while in transit, authentication process, and other
technical security measures that control and limit
Section 27. Physical Security Measures. Where access.
appropriate, personal information controllers and
personal information processors shall comply with Section 29. Appropriate Level of Security. The
the following guidelines for physical security: Commission shall monitor the compliance of natural
a. Policies and procedures shall be implemented to or juridical person or other body involved in the
monitor and limit access to and activities in the room, processing of personal data, specifically their security
workstation or facility, including guidelines that measures, with the guidelines provided in these Rules
specify the proper use of and access to electronic and subsequent issuances of the Commission. In
media; determining the level of security appropriate for a
b. Design of office space and work stations, including particular personal information controller or personal
the physical arrangement of furniture and equipment, information processor, the Commission shall take
shall provide privacy to anyone processing personal into account the nature of the personal data that
data, taking into consideration the environment and requires protection, the risks posed by the processing,
accessibility to the public; the size of the organization and complexity of its
c. The duties, responsibilities and schedule of operations, current data privacy best practices, and
individuals involved in the processing of personal the cost of security implementation. The security
data shall be clearly defined to ensure that only the measures provided herein shall be subject to regular
18 of 26
review and evaluation, and may be updated as whether by its agent or employee, unless the head of
necessary by the Commission in separate issuances, agency has ensured the implementation of privacy
taking into account the most appropriate standard policies and appropriate security measures. A request
recognized by the information and communications for such transportation or access shall be submitted to
technology industry and data privacy best practices. and approved by the head of agency. The request
must include proper accountability mechanisms in the
processing of data.
Rule VII. Security of Sensitive Personal 2. The head of agency shall approve requests for off-
Information in Government site access in accordance with the following
guidelines:
Section 30. Responsibility of Heads of Agencies. All (a) Deadline for Approval or Disapproval. The head
sensitive personal information maintained by the of agency shall approve or disapprove the request
government, its agencies, and instrumentalities shall within two (2) business days after the date of
be secured, as far as practicable, with the use of the submission of the request. Where no action is taken
most appropriate standard recognized by the by the head of agency, the request is considered
information and communications technology disapproved;
industry, subject to these Rules and other issuances of (b) Limitation to One thousand (1,000) Records.
the Commission. The head of each government Where a request is approved, the head of agency shall
agency or instrumentality shall be responsible for limit the access to not more than one thousand
complying with the security requirements mentioned (1,000) records at a time, subject to the next
herein. The Commission shall monitor government succeeding paragraph.
agency compliance and may recommend the (c) Encryption. Any technology used to store,
necessary action in order to satisfy the minimum transport or access sensitive personal information for
standards. purposes of off-site access approved under this
subsection shall be secured by the use of the most
Section 31. Requirements Relating to Access by secure encryption standard recognized by the
Agency Personnel to Sensitive Personal Information. Commission.
a. On-site and Online Access.
1. No employee of the government shall have access Section 32. Implementation of Security
to sensitive personal information on government Requirements. Notwithstanding the effective date of
property or through online facilities unless he or she these Rules, the requirements in the preceding
the employee has received a security clearance from sections shall be implemented before any off-site or
the head of the source agency. The source agency is online access request is approved. Any data sharing
the government agency who originally collected the agreement between a source agency and another
personal data. government agency shall be subject to review of the
2. A source agency shall strictly regulate access to Commission on its own initiative or upon complaint
sensitive personal information under its custody or of data subject.
control, particularly when it allows online access. An
employee of the government shall only be granted a Section 33. Applicability to Government Contractors.
security clearance when the performance of his or her In entering into any contract with a private service
official functions or the provision of a public service provider that may involve accessing or requiring
directly depends on and cannot otherwise be sensitive personal information from one thousand
performed unless access to the personal data is (1,000) or more individuals, a government agency
allowed. shall require such service provider and its employees
3. Where allowed under the next preceding sections, to register their personal data processing system with
online access to sensitive personal information shall the Commission in accordance with the Act and these
be subject to the following conditions: Rules. The service provider, as personal information
(a) An information technology governance processor, shall comply with the other provisions of
framework has been designed and implemented; the Act and these Rules, particularly the immediately
(b) Sufficient organizational, physical and technical preceding sections, similar to a government agency
security measures have been established; and its employees.
(c) The agency is capable of protecting sensitive
personal information in accordance with data privacy
practices and standards recognized by the information Rule VIII. Rights of Data Subjects
and communication technology industry;
(d) The employee of the government is only given Section 34. Rights of the Data Subject. The data
online access to sensitive personal information subject is entitled to the following rights:
necessary for the performance of official functions or a. Right to be informed.
the provision of a public service. 1. The data subject has a right to be informed whether
b. Off-site access. personal data pertaining to him or her shall be, are
1. Sensitive personal information maintained by an being, or have been processed, including the
agency may not be transported or accessed from a existence of automated decision-making and
location off or outside of government property, profiling.
19 of 26
2. The data subject shall be notified and furnished 6. Information on automated processes where the data
with information indicated hereunder before the entry will, or is likely to, be made as the sole basis for any
of his or her personal data into the processing system decision that significantly affects or will affect the
of the personal information controller, or at the next data subject;
practical opportunity: 7. Date when his or her personal data concerning the
(a) Description of the personal data to be entered into data subject were last accessed and modified; and
the system; 8. The designation, name or identity, and address of
(b) Purposes for which they are being or will be the personal information controller.
processed, including processing for direct marketing, d. Right to rectification. The data subject has the right
profiling or historical, statistical or scientific purpose; to dispute the inaccuracy or error in the personal data
(c) Basis of processing, when processing is not based and have the personal information controller correct
on the consent of the data subject; it immediately and accordingly, unless the request is
(d) Scope and method of the personal data vexatious or otherwise unreasonable. If the personal
processing; data has been corrected, the personal information
(e) The recipients or classes of recipients to whom the controller shall ensure the accessibility of both the
personal data are or may be disclosed; new and the retracted information and the
(f) Methods utilized for automated access, if the same simultaneous receipt of the new and the retracted
is allowed by the data subject, and the extent to information by the intended recipients thereof:
which such access is authorized, including Provided, That recipients or third parties who have
meaningful information about the logic involved, as previously received such processed personal data
well as the significance and the envisaged shall be informed of its inaccuracy and its
consequences of such processing for the data subject; rectification, upon reasonable request of the data
(g) The identity and contact details of the personal subject.
data controller or its representative; e. Right to Erasure or Blocking. The data subject
(h) The period for which the information will be shall have the right to suspend, withdraw or order the
stored; and blocking, removal or destruction of his or her
(i) The existence of their rights as data subjects, personal data from the personal information
including the right to access, correction, and object to controllers filing system.
the processing, as well as the right to lodge a 1. This right may be exercised upon discovery and
complaint before the Commission. substantial proof of any of the following:
b. Right to object. The data subject shall have the (a) The personal data is incomplete, outdated, false,
right to object to the processing of his or her personal or unlawfully obtained;
data, including processing for direct marketing, (b) The personal data is being used for purpose not
automated processing or profiling. The data subject authorized by the data subject;
shall also be notified and given an opportunity to (c) The personal data is no longer necessary for the
withhold consent to the processing in case of changes purposes for which they were collected;
or any amendment to the information supplied or (d) The data subject withdraws consent or objects to
declared to the data subject in the preceding the processing, and there is no other legal ground or
paragraph. overriding legitimate interest for the processing;
When a data subject objects or withholds consent, the (e) The personal data concerns private information
personal information controller shall no longer that is prejudicial to data subject, unless justified by
process the personal data, unless: freedom of speech, of expression, or of the press or
1. The personal data is needed pursuant to a otherwise authorized;
subpoena; (f) The processing is unlawful;
2. The collection and processing are for obvious (g) The personal information controller or personal
purposes, including, when it is necessary for the information processor violated the rights of the data
performance of or in relation to a contract or service subject.
to which the data subject is a party, or when 2. The personal information controller may notify
necessary or desirable in the context of an employer- third parties who have previously received such
employee relationship between the collector and the processed personal information.
data subject; or f. Right to damages. The data subject shall be
3. The information is being collected and processed indemnified for any damages sustained due to such
as a result of a legal obligation. inaccurate, incomplete, outdated, false, unlawfully
c. Right to Access. The data subject has the right to obtained or unauthorized use of personal data, taking
reasonable access to, upon demand, the following: into account any violation of his or her rights and
1. Contents of his or her personal data that were freedoms as data subject.
processed;
2. Sources from which personal data were obtained; Section 35. Transmissibility of Rights of the Data
3. Names and addresses of recipients of the personal Subject. The lawful heirs and assigns of the data
data; subject may invoke the rights of the data subject to
4. Manner by which such data were processed; which he or she is an heir or an assignee, at any time
5. Reasons for the disclosure of the personal data to after the death of the data subject, or when the data
recipients, if any; subject is incapacitated or incapable of exercising the
20 of 26
rights as enumerated in the immediately preceding notification shall also include measures taken to
section. reduce the harm or negative consequences of the
breach, the representatives of the personal
Section 36. Right to Data Portability. Where his or information controller, including their contact details,
her personal data is processed by electronic means from whom the data subject can obtain additional
and in a structured and commonly used format, the information about the breach, and any assistance to
data subject shall have the right to obtain from the be provided to the affected data subjects.
personal information controller a copy of such data in
an electronic or structured format that is commonly Section 40. Delay of Notification. Notification may
used and allows for further use by the data subject. be delayed only to the extent necessary to determine
The exercise of this right shall primarily take into the scope of the breach, to prevent further
account the right of data subject to have control over disclosures, or to restore reasonable integrity to the
his or her personal data being processed based on information and communications system.
consent or contract, for commercial purpose, or a. In evaluating if notification is unwarranted, the
through automated means. The Commission may Commission may take into account compliance by
specify the electronic format referred to above, as the personal information controller with this section
well as the technical standards, modalities, and existence of good faith in the acquisition of
procedures and other rules for their transfer. personal data.
b. The Commission may exempt a personal
Section 37. Limitation on Rights. The immediately information controller from notification where, in its
preceding sections shall not be applicable if the reasonable judgment, such notification would not be
processed personal data are used only for the needs of in the public interest, or in the interest of the affected
scientific and statistical research and, on the basis of data subjects.
such, no activities are carried out and no decisions are c. The Commission may authorize postponement of
taken regarding the data subject: Provided, that the notification where it may hinder the progress of a
personal data shall be held under strict confidentiality criminal investigation related to a serious breach.
and shall be used only for the declared purpose. The
said sections are also not applicable to the processing Section 41. Breach Report.
of personal data gathered for the purpose of a. The personal information controller shall notify the
investigations in relation to any criminal, Commission by submitting a report, whether written
administrative or tax liabilities of a data subject. Any or electronic, containing the required contents of
limitations on the rights of the data subject shall only notification. The report shall also include the name of
be to the minimum extent necessary to achieve the a designated representative of the personal
purpose of said research or investigation. information controller, and his or her contact details.
Rule IX. Data Breach Notification. b. All security incidents and personal data breaches
shall be documented through written reports,
Section 38. Data Breach Notification. including those not covered by the notification
a. The Commission and affected data subjects shall requirements. In the case of personal data breaches, a
be notified by the personal information controller report shall include the facts surrounding an incident,
within seventy-two (72) hours upon knowledge of, or the effects of such incident, and the remedial actions
when there is reasonable belief by the personal taken by the personal information controller. In other
information controller or personal information security incidents not involving personal data, a
processor that, a personal data breach requiring report containing aggregated data shall constitute
notification has occurred. sufficient documentation. These reports shall be made
b. Notification of personal data breach shall be available when requested by the Commission. A
required when sensitive personal information or any general summary of the reports shall be submitted to
other information that may, under the circumstances, the Commission annually.
be used to enable identity fraud are reasonably
believed to have been acquired by an unauthorized Section 42. Procedure for Notification. The
person, and the personal information controller or the Procedure for breach notification shall be in
Commission believes that such unauthorized accordance with the Act, these Rules, and any other
acquisition is likely to give rise to a real risk of issuance of the Commission.
serious harm to any affected data subject.
c. Depending on the nature of the incident, or if there Rule X. Outsourcing and Subcontracting
is delay or failure to notify, the Commission may Agreements.
investigate the circumstances surrounding the
personal data breach. Investigations may include on- Section 43. Subcontract of Personal Data. A personal
site examination of systems and procedures. information controller may subcontract or outsource
the processing of personal data: Provided, that the
Section 39. Contents of Notification. The notification personal information controller shall use contractual
shall at least describe the nature of the breach, the or other reasonable means to ensure that proper
personal data possibly involved, and the measures safeguards are in place, to ensure the confidentiality,
taken by the entity to address the breach. The integrity and availability of the personal data
21 of 26
processed, prevent its use for unauthorized purposes, the Act, these Rules, or any other issuance of the
and generally, comply with the requirements of the Commission.
Act, these Rules, other applicable laws for processing
of personal data, and other issuances of the Section 45. Duty of personal information processor.
Commission. The personal information processor shall comply
Section 44. Agreements for Outsourcing. Processing with the requirements of the Act, these Rules, other
by a personal information processor shall be applicable laws, and other issuances of the
governed by a contract or other legal act that binds Commission, in addition to obligations provided in a
the personal information processor to the personal contract, or other legal act with a personal
information controller. information controller.
a. The contract or legal act shall set out the subject-
matter and duration of the processing, the nature and
purpose of the processing, the type of personal data Rule XI. Registration and Compliance
and categories of data subjects, the obligations and Requirements
rights of the personal information controller, and the
geographic location of the processing under the Section 46. Enforcement of the Data Privacy Act.
subcontracting agreement. Pursuant to the mandate of the Commission to
b. The contract or other legal act shall stipulate, in administer and implement the Act, and to ensure the
particular, that the personal information processor compliance of personal information controllers with
shall: its obligations under the law, the Commission
1. Process the personal data only upon the requires the following:
documented instructions of the personal information a. Registration of personal data processing systems
controller, including transfers of personal data to operating in the country that involves accessing or
another country or an international organization, requiring sensitive personal information of at least
unless such transfer is authorized by law; one thousand (1,000) individuals, including the
2. Ensure that an obligation of confidentiality is personal data processing system of contractors, and
imposed on persons authorized to process the their personnel, entering into contracts with
personal data; government agencies;
3. Implement appropriate security measures and b. Notification of automated processing operations
comply with the Act, these Rules, and other issuances where the processing becomes the sole basis of
of the Commission; making decisions that would significantly affect the
4. Not engage another processor without prior data subject;
instruction from the personal information controller: c. Annual report of the summary of documented
Provided, that any such arrangement shall ensure that security incidents and personal data breaches;
the same obligations for data protection under the d. Compliance with other requirements that may be
contract or legal act are implemented, taking into provided in other issuances of the Commission.
account the nature of the processing;
5. Assist the personal information controller, by Section 47. Registration of Personal Data Processing
appropriate technical and organizational measures Systems.
and to the extent possible, fulfill the obligation to The personal information controller or personal
respond to requests by data subjects relative to the information processor that employs fewer than two
exercise of their rights; hundred fifty (250) persons shall not be required to
6. Assist the personal information controller in register unless the processing it carries out is likely to
ensuring compliance with the Act, these Rules, other pose a risk to the rights and freedoms of data
relevant laws, and other issuances of the subjects, the processing is not occasional, or the
Commission, taking into account the nature of processing includes sensitive personal information of
processing and the information available to the at least one thousand (1,000) individuals.a. The
personal information processor; contents of registration shall include:
7. At the choice of the personal information 1. The name and address of the personal information
controller, delete or return all personal data to the controller or personal information processor, and of
personal information controller after the end of the its representative, if any, including their contact
provision of services relating to the processing: details;
Provided, that this includes deleting existing copies 2. The purpose or purposes of the processing, and
unless storage is authorized by the Act or another whether processing is being done under an
law; outsourcing or subcontracting agreement;
8. Make available to the personal information 3. A description of the category or categories of data
controller all information necessary to demonstrate subjects, and of the data or categories of data relating
compliance with the obligations laid down in the Act, to them;
and allow for and contribute to audits, including 4. The recipients or categories of recipients to whom
inspections, conducted by the personal information the data might be disclosed;
controller or another auditor mandated by the latter; 5. Proposed transfers of personal data outside the
9. Immediately inform the personal information Philippines;
controller if, in its opinion, an instruction infringes 6. A general description of privacy and security
22 of 26
measures for data protection; f. Any reported violation of the rights and freedoms
7. Brief description of the data processing system; of data subjects;
8. Copy of all policies relating to data governance, g. Other matters necessary to ensure the effective
data privacy, and information security; implementation and administration of the Act, these
9. Attestation to all certifications attained that are Rules, and other issuances of the Commission.
related to information and communications
processing; and
10. Name and contact details of the compliance or Rule XII. Rules on Accountability
data protection officer, which shall immediately be
updated in case of changes. Section 50. Accountability for Transfer of Personal
b. The procedure for registration shall be in Data. A personal information controller shall be
accordance with these Rules and other issuances of responsible for any personal data under its control or
the Commission. custody, including information that have been
outsourced or transferred to a personal information
Section 48. Notification of Automated Processing processor or a third party for processing, whether
Operations. The personal information controller domestically or internationally, subject to cross-
carrying out any wholly or partly automated border arrangement and cooperation.
processing operations or set of such operations a. A personal information controller shall be
intended to serve a single purpose or several related accountable for complying with the requirements of
purposes shall notify the Commission when the the Act, these Rules, and other issuances of the
automated processing becomes the sole basis for Commission. It shall use contractual or other
making decisions about a data subject, and when the reasonable means to provide a comparable level of
decision would significantly affect the data subject. protection to the personal data while it is being
a. The notification shall include the following processed by a personal information processor or
information: third party.
1. Purpose of processing; b. A personal information controller shall designate
2. Categories of personal data to undergo processing; an individual or individuals who are accountable for
3. Category or categories of data subject; its compliance with the Act. The identity of the
4. Consent forms or manner of obtaining consent; individual or individuals so designated shall be made
5. The recipients or categories of recipients to whom known to a data subject upon request.
the data are to be disclosed;
6. The length of time the data are to be stored; Section 51. Accountability for Violation of the Act,
7. Methods and logic utilized for automated these Rules and Other Issuances of the Commission.
processing; a. Any natural or juridical person, or other body
8. Decisions relating to the data subject that would be involved in the processing of personal data, who fails
made on the basis of processed data or that would to comply with the Act, these Rules, and other
significantly affect the rights and freedoms of data issuances of the Commission, shall be liable for such
subject; and violation, and shall be subject to its corresponding
9. Names and contact details of the compliance or sanction, penalty, or fine, without prejudice to any
data protection officer. civil or criminal liability, as may be applicable.
b. No decision with legal effects concerning a data b. In cases where a data subject files a complaint for
subject shall be made solely on the basis of violation of his or her rights as data subject, and for
automated processing without the consent of the data any injury suffered as a result of the processing of his
subject. or her personal data, the Commission may award
indemnity on the basis of the applicable provisions of
Section 49. Review by the Commission. the New Civil Code.
The following are subject to the review of the c. In case of criminal acts and their corresponding
Commission, upon its own initiative or upon the personal penalties, the person who committed the
filing of a complaint by a data subject:a. Compliance unlawful act or omission shall be recommended for
by a personal information controller or personal prosecution by the Commission based on substantial
information processor with the Act, these Rules, and evidence. If the offender is a corporation, partnership,
other issuances of the Commission; or any juridical person, the responsible officers, as
b. Compliance by a personal information controller or the case may be, who participated in, or by their gross
personal information processor with the requirement negligence, allowed the commission of the crime,
of establishing adequate safeguards for data privacy shall be recommended for prosecution by the
and security; Commission based on substantial evidence.
c. Any data sharing agreement, outsourcing contract,
and similar contracts involving the processing of
personal data, and its implementation; Rule XIII. Penalties
d. Any off-site or online access to sensitive personal
data in government allowed by a head of agency; Section 52. Unauthorized Processing of Personal
e. Processing of personal data for research purposes, Information and Sensitive Personal Information.
public functions, or commercial activities; a. A penalty of imprisonment ranging from one (1)
23 of 26
year to three (3) years and a fine of not less than Five (Php500,000.00) but not more than One million pesos
hundred thousand pesos (Php500,000.00) but not (Php1,000,000.00) shall be imposed on persons
more than Two million pesos (Php2,000,000.00) shall processing personal information for purposes not
be imposed on persons who process personal authorized by the data subject, or otherwise
information without the consent of the data subject, authorized under the Act or under existing laws.
or without being authorized under the Act or any b. A penalty of imprisonment ranging from two (2)
existing law. years to seven (7) years and a fine of not less than
b. A penalty of imprisonment ranging from three (3) Five hundred thousand pesos (Php500,000.00) but
years to six (6) years and a fine of not less than Five not more than Two million pesos (Php2,000,000.00)
hundred thousand pesos (Php500,000.00) but not shall be imposed on persons processing sensitive
more than Four million pesos (Php4,000,000.00) personal information for purposes not authorized by
shall be imposed on persons who process sensitive the data subject, or otherwise authorized under the
personal information without the consent of the data Act or under existing laws.
subject, or without being authorized under the Act or
any existing law. Section 56. Unauthorized Access or Intentional
Breach.
Section 53. Accessing Personal Information and A penalty of imprisonment ranging from one (1) year
Sensitive Personal Information Due to Negligence. to three (3) years and a fine of not less than Five
a. A penalty of imprisonment ranging from one (1) hundred thousand pesos (Php500,000.00) but not
year to three (3) years and a fine of not less than Five more than Two million pesos (Php2,000,000.00) shall
hundred thousand pesos (Php500,000.00) but not be imposed on persons who knowingly and
more than Two million pesos (Php2,000,000.00) shall unlawfully, or violating data confidentiality and
be imposed on persons who, due to negligence, security data systems, breaks in any way into any
provided access to personal information without system where personal and sensitive personal
being authorized under the Act or any existing law. information are stored.Section 57. Concealment of
b. A penalty of imprisonment ranging from three (3) Security Breaches Involving Sensitive Personal
years to six (6) years and a fine of not less than Five Information. A penalty of imprisonment ranging from
hundred thousand pesos (Php500,000.00) but not one (1) year and six (6) months to five (5) years and a
more than Four million pesos (Php4,000,000.00) fine of not less than Five hundred thousand pesos
shall be imposed on persons who, due to negligence, (Php500,000.00) but not more than One million pesos
provided access to sensitive personal information (Php1,000,000.00) shall be imposed on persons who,
without being authorized under the Act or any after having knowledge of a security breach and of
existing law. the obligation to notify the Commission pursuant to
Section 20(f) of the Act, intentionally or by omission
Section 54. Improper Disposal of Personal conceals the fact of such security breach.
Information and Sensitive Personal Information.
a. A penalty of imprisonment ranging from six (6) Section 58. Malicious Disclosure. Any personal
months to two (2) years and a fine of not less than information controller or personal information
One hundred thousand pesos (Php100,000.00) but not processor, or any of its officials, employees or agents,
more than Five hundred thousand pesos who, with malice or in bad faith, discloses
(Php500,000.00) shall be imposed on persons who unwarranted or false information relative to any
knowingly or negligently dispose, discard, or personal information or sensitive personal
abandon the personal information of an individual in information obtained by him or her, shall be subject
an area accessible to the public or has otherwise to imprisonment ranging from one (1) year and six
placed the personal information of an individual in its (6) months to five (5) years and a fine of not less than
container for trash collection. Five hundred thousand pesos (Php500,000.00) but
b. A penalty of imprisonment ranging from one (1) not more than One million pesos (Php1,000,000.00).
year to three (3) years and a fine of not less than One
hundred thousand pesos (Php100,000.00) but not Section 59. Unauthorized Disclosure.
more than One million pesos (Php1,000,000.00) shall a. Any personal information controller or personal
be imposed on persons who knowingly or negligently information processor, or any of its officials,
dispose, discard or abandon the sensitive personal employees, or agents, who discloses to a third party
information of an individual in an area accessible to personal information not covered by the immediately
the public or has otherwise placed the sensitive preceding section without the consent of the data
personal information of an individual in its container subject, shall be subject to imprisonment ranging
for trash collection. from one (1) year to three (3) years and a fine of not
less than Five hundred thousand pesos
Section 55. Processing of Personal Information and (Php500,000.00) but not more than One million pesos
Sensitive Personal Information for Unauthorized (Php1,000,000.00).
Purposes. b. Any personal information controller or personal
a. A penalty of imprisonment ranging from one (1) information processor, or any of its officials,
year and six (6) months to five (5) years and a fine of employees or agents, who discloses to a third party
not less than Five hundred thousand pesos sensitive personal information not covered by the
24 of 26
immediately preceding section without the consent of Rule XIV. Miscellaneous Provisions
the data subject, shall be subject to imprisonment
ranging from three (3) years to five (5) years and a Section 66. Appeal. Appeal from final decisions of
fine of not less than Five hundred thousand pesos the Commission shall be made to the proper courts in
(Php500,000.00) but not more than Two million accordance with the Rules of Court, or as may be
pesos (Php2,000,000.00). prescribed by law.
Section 60. Combination or Series of Acts. Any
combination or series of acts as defined in Sections Section 67. Period for Compliance. Any natural or
52 to 59 shall make the person subject to juridical person or other body involved in the
imprisonment ranging from three (3) years to six (6) processing of personal data shall comply with the
years and a fine of not less than One million pesos personal data processing principles and standards of
(Php1,000,000.00) but not more than Five million personal data privacy and security already laid out in
pesos (Php5,000,000.00). the Act.
Section 61. Extent of Liability. If the offender is a Personal information controllers and Personal
corporation, partnership or any juridical person, the Information processors shall register with the
penalty shall be imposed upon the responsible Commission their data processing systems or
officers, as the case may be, who participated in, or automated processing operations, subject to
by their gross negligence, allowed the commission of notification, within one (1) year after the effectivity
the crime. Where applicable, the court may also of these Rules. Any subsequent issuance of the
suspend or revoke any of its rights under this Act. Commission, including those that implement specific
If the offender is an alien, he or she shall, in addition standards for data portability, encryption, or other
to the penalties herein prescribed, be deported security measures shall provide the period for its
without further proceedings after serving the compliance.
penalties prescribed. For a period of one (1) year from the effectivity of
If the offender is a public official or employee and he these Rules, a personal information controller or
or she is found guilty of acts penalized under personal information processor may apply for an
Sections 54 and 55 of these Rules, he or she shall, in extension of the period within which to comply with
addition to the penalties prescribed herein, suffer the issuances of the Commission. The Commission
perpetual or temporary absolute disqualification from may grant such request for good cause shown.
office, as the case may be.
Section 68. Appropriations Clause. The Commission
Section 62. Large-Scale. The maximum penalty in shall be provided with appropriations for the
the corresponding scale of penalties provided for the performance of its functions which shall be included
preceding offenses shall be imposed when the in the General Appropriations Act.
personal data of at least one hundred (100) persons
are harmed, affected, or involved, as the result of any Section 69. Interpretation. Any doubt in the
of the above-mentioned offenses. interpretation of any provision of this Act shall be
liberally interpreted in a manner that would uphold
Section 63. Offense Committed by Public Officer. the rights and interests of the individual about whom
When the offender or the person responsible for the personal data is processed.
offense is a public officer, as defined in the
Administrative Code of 1987, in the exercise of his or Section 70. Separability Clause. If any provision or
her duties, he or she shall likewise suffer an part hereof is held invalid or unconstitutional, the
accessory penalty consisting of disqualification to remainder of these Rules or the provision not
occupy public office for a term double the term of the otherwise affected shall remain valid and subsisting.
criminal penalty imposed.
Section 71. Repealing Clause. Except as otherwise
Section 64. Restitution. Pursuant to the exercise of its expressly provided in the Act or these Rules, all other
quasi-judicial functions, the Commission shall award laws, decrees, executive orders, proclamations and
indemnity to an aggrieved party on the basis of the administrative regulations or parts thereof
provisions of the New Civil Code. Any complaint inconsistent herewith are hereby repealed or modified
filed by a data subject shall be subject to the payment accordingly.
of filing fees, unless the data subject is an indigent.
Section 72. Effectivity Clause. These Rules shall take
Section 65. Fines and Penalties. Violations of the effect fifteen (15) days after its publication in the
Act, these Rules, other issuances and orders of the Official Gazette.
Commission, shall, upon notice and hearing, be
subject to compliance and enforcement orders, cease
and desist orders, temporary or permanent ban on the
processing of personal data, or payment of fines, in
accordance with a schedule to be published by the
Commission.

25 of 26
Approved:(Sgd.) RAYMUND E. LIBORO
Privacy Commissioner

(Sgd.) DAMIAN
(Sgd.) IVY D. PATDU
DOMINGO O. MAPA
Deputy Privacy
Deputy Privacy
Commissioner
Commissioner
Promulgated: August 24, 2016

26 of 26