Republic of the Philippines Congress of the (a) Commission shall refer to the National

Philippines Metro Manila Fifteenth Congress Privacy Commission created by virtue of this
Second Regular Session Act.

Begun and held in Metro Manila, on Monday, (b) Consent of the data subject refers to any
the twenty-fifth day of July, two thousand freely given, specific, informed indication of
eleven. will, whereby the data subject agrees to the
collection and processing of personal
[REPUBLIC ACT NO. 10173] information about and/or relating to him or her.
Consent shall be evidenced by written,
AN ACT PROTECTING INDIVIDUAL
electronic or recorded means. It may also be
PERSONAL INFORMATION IN
given on behalf of the data subject by an agent
INFORMATION AND COMMUNICATIONS
specifically authorized by the data subject to do
SYSTEMS IN THE GOVERNMENT AND THE
so.
PRIVATE SECTOR, CREATING FOR THIS
PURPOSE A NATIONAL PRIVACY (c) Data subject refers to an individual whose
COMMISSION, AND FOR OTHER personal information is processed.
PURPOSES
(d) Direct marketing refers to communication
Be it enacted, by the Senate and House of by whatever means of any advertising or
Representatives of the Philippines in Congress marketing material which is directed to
assembled: particular individuals.
CHAPTER I GENERAL PROVISIONS (e) Filing system refers to any act of
information relating to natural or juridical
SECTION 1. Short Title. – This Act shall be
persons to the extent that, although the
known as the “Data Privacy Act of 2012”.
information is not processed by equipment
SEC. 2. Declaration of Policy. – It is the policy operating automatically in response to
of the State to protect the fundamental human instructions given for that purpose, the set is
right of privacy, of communication while structured, either by reference to individuals or
ensuring free flow of information to promote by reference to criteria relating to individuals, in
innovation and growth. The State recognizes such a way that specific information relating to
the vital role of information and a particular person is readily accessible.
communications technology in nation-building
(f) Information and Communications System
and its inherent obligation to ensure that
refers to a system for generating, sending,
personal information in information and
receiving, storing or otherwise processing
communications systems in the government
electronic data messages or electronic
and in the private sector are secured and
documents and includes the computer system
protected.
or other similar device by or which data is
SEC. 3. Definition of Terms. – Whenever used recorded, transmitted or stored and any
in this Act, the following terms shall have the procedure related to the recording,
respective meanings hereafter set forth: transmission or storage of electronic data,
electronic message, or electronic document.
(g) Personal information refers to any (l) Sensitive personal information refers to
information whether recorded in a material personal information:
form or not, from which the identity of an
individual is apparent or can be reasonably and (1) About an individual’s race, ethnic origin,
directly ascertained by the entity holding the marital status, age, color, and religious,
information, or when put together with other philosophical or political affiliations;
information would directly and certainly identify
(2) About an individual’s health, education,
an individual.
genetic or sexual life of a person, or to any
(h) Personal information controller refers to a proceeding for any offense committed or
person or organization who controls the alleged to have been committed by such
collection, holding, processing or use of person, the disposal of such proceedings, or
personal information, including a person or the sentence of any court in such proceedings;
organization who instructs another person or
(3) Issued by government agencies peculiar to
organization to collect, hold, process, use,
an individual which includes, but not limited to,
transfer or disclose personal information on his
social security numbers, previous or current
or her behalf. The term excludes:
health records, licenses or its denials,
(1) A person or organization who performs suspension or revocation, and tax returns; and
such functions as instructed by another person
(4) Specifically established by an executive
or organization; and
order or an act of Congress to be kept
(2) An individual who collects, holds, processes classified.
or uses personal information in connection with
SEC. 4. Scope. – This Act applies to the
the individual’s personal, family or household
processing of all types of personal information
affairs.
and to any natural and juridical person involved
(i) Personal information processor refers to any in personal information processing including
natural or juridical person qualified to act as those personal information controllers and
such under this Act to whom a personal processors who, although not found or
information controller may outsource the established in the Philippines, use equipment
processing of personal data pertaining to a that are located in the Philippines, or those
data subject. who maintain an office, branch or agency in the
Philippines subject to the immediately
(j) Processing refers to any operation or any succeeding paragraph: Provided, That the
set of operations performed upon personal requirements of Section 5 are complied with.
information including, but not limited to, the
collection, recording, organization, storage, This Act does not apply to the following:
updating or modification, retrieval, consultation,
(a) Information about any individual who is or
use, consolidation, blocking, erasure or
was an officer or employee of a government
destruction of data.
institution that relates to the position or
(k) Privileged information refers to any and all functions of the individual, including:
forms of data which under the Rules of Court
(1) The fact that the individual is or was an
and other pertinent laws constitute privileged
officer or employee of the government
communication.
institution;
(2) The title, business address and office independent, central monetary authority or
telephone number of the individual; Bangko Sentral ng Pilipinas to comply with
Republic Act No. 9510, and Republic Act No.
(3) The classification, salary range and 9160, as amended, otherwise known as the
responsibilities of the position held by the Anti-Money Laundering Act and other
individual; and applicable laws; and
(4) The name of the individual on a document (g) Personal information originally collected
prepared by the individual in the course of from residents of foreign jurisdictions in
employment with the government; accordance with the laws of those foreign
jurisdictions, including any applicable data
(b) Information about an individual who is or
privacy laws, which is being processed in the
was performing service under contract for a
Philippines.
government institution that relates to the
services performed, including the terms of the SEC. 5. Protection Afforded to Journalists and
contract, and the name of the individual given Their Sources. – Nothing in this Act shall be
in the course of the performance of those construed as to have amended or repealed the
services; provisions of Republic Act No. 53, which
affords the publishers, editors or duly
(c) Information relating to any discretionary
accredited reporters of any newspaper,
benefit of a financial nature such as the
magazine or periodical of general circulation
granting of a license or permit given by the
protection from being compelled to reveal the
government to an individual, including the
source of any news report or information
name of the individual and the exact nature of
appearing in said publication which was related
the benefit;
in any confidence to such publisher, editor, or
(d) Personal information processed for reporter.
journalistic, artistic, literary or research
SEC. 6. Extraterritorial Application. – This Act
purposes;
applies to an act done or practice engaged in
(e) Information necessary in order to carry out and outside of the Philippines by an entity if:
the functions of public authority which includes
(a) The act, practice or processing relates to
the processing of personal data for the
personal information about a Philippine citizen
performance by the independent, central
or a resident;
monetary authority and law enforcement and
regulatory agencies of their constitutionally and (b) The entity has a link with the Philippines,
statutorily mandated functions. Nothing in this and the entity is processing personal
Act shall be construed as to have amended or information in the Philippines or even if the
repealed Republic Act No. 1405, otherwise processing is outside the Philippines as long as
known as the Secrecy of Bank Deposits Act; it is about Philippine citizens or residents such
Republic Act No. 6426, otherwise known as the as, but not limited to, the following:
Foreign Currency Deposit Act; and Republic
Act No. 9510, otherwise known as the Credit (1) A contract is entered in the Philippines;
Information System Act (CISA);
(2) A juridical entity unincorporated in the
(f) Information necessary for banks and other Philippines but has central management and
financial institutions under the jurisdiction of the control in the country; and
(3) An entity that has a branch, agency, office to collect the information necessary to perform
or subsidiary in the Philippines and the parent its functions under this Act;
or affiliate of the Philippine entity has access to
personal information; and (c) Issue cease and desist orders, impose a
temporary or permanent ban on the processing
(c) The entity has other links in the Philippines of personal information, upon finding that the
such as, but not limited to: processing will be detrimental to national
security and public interest;
(1) The entity carries on business in the
Philippines; and (d) Compel or petition any entity, government
agency or instrumentality to abide by its orders
(2) The personal information was collected or or take action on a matter affecting data
held by an entity in the Philippines. privacy;
Back To Top (e) Monitor the compliance of other
government agencies or instrumentalities on
CHAPTER II THE NATIONAL PRIVACY
their security and technical measures and
COMMISSION
recommend the necessary action in order to
SEC. 7. Functions of the National Privacy meet minimum standards for protection of
Commission. – To administer and implement personal information pursuant to this Act;
the provisions of this Act, and to monitor and
(f) Coordinate with other government agencies
ensure compliance of the country with
and the private sector on efforts to formulate
international standards set for data protection,
and implement plans and policies to strengthen
there is hereby created an independent body to
the protection of personal information in the
be known as the National Privacy Commission,
country;
which shall have the following functions:
(g) Publish on a regular basis a guide to all
(a) Ensure compliance of personal information
laws relating to data protection;
controllers with the provisions of this Act;
(h) Publish a compilation of agency system of
(b) Receive complaints, institute investigations,
records and notices, including index and other
facilitate or enable settlement of complaints
finding aids;
through the use of alternative dispute
resolution processes, adjudicate, award (i) Recommend to the Department of Justice
indemnity on matters affecting any personal (DOJ) the prosecution and imposition of
information, prepare reports on disposition of penalties specified in Sections 25 to 29 of this
complaints and resolution of any investigation it Act;
initiates, and, in cases it deems appropriate,
publicize any such report: Provided, That in (j) Review, approve, reject or require
resolving any complaint or investigation modification of privacy codes voluntarily
(except where amicable settlement is reached adhered to by personal information
by the parties), the Commission shall act as a controllers:Provided, That the privacy codes
collegial body. For this purpose, the shall adhere to the underlying data privacy
Commission may be given access to personal principles embodied in this Act: Provided,
information that is subject of any complaint and further,That such privacy codes may include
private dispute resolution mechanisms for
complaints against any participating personal SEC. 8. Confidentiality. – The Commission
information controller. For this purpose, the shall ensure at all times the confidentiality of
Commission shall consult with relevant any personal information that comes to its
regulatory agencies in the formulation and knowledge and possession.
administration of privacy codes applying the
standards set out in this Act, with respect to the SEC. 9. Organizational Structure of the
persons, entities, business activities and Commission. – The Commission shall be
business sectors that said regulatory bodies attached to the Department of Information and
are authorized to principally regulate pursuant Communications Technology (DICT) and shall
to the law: Provided, finally. That the be headed by a Privacy Commissioner, who
Commission may review such privacy codes shall also act as Chairman of the Commission.
and require changes thereto for purposes of The Privacy Commissioner shall be assisted by
complying with this Act; two (2) Deputy Privacy Commissioners, one to
be responsible for Data Processing Systems
(k) Provide assistance on matters relating to and one to be responsible for Policies and
privacy or data protection at the request of a Planning. The Privacy Commissioner and the
national or local agency, a private entity or any two (2) Deputy Privacy Commissioners shall be
person; appointed by the President of the Philippines
for a term of three (3) years, and may be
(l) Comment on the implication on data privacy reappointed for another term of three (3) years.
of proposed national or local statutes, Vacancies in the Commission shall be filled in
regulations or procedures, issue advisory the same manner in which the original
opinions and interpret the provisions of this Act appointment was made.
and other data privacy laws;
The Privacy Commissioner must be at least
(m) Propose legislation, amendments or thirty-five (35) years of age and of good moral
modifications to Philippine laws on privacy or character, unquestionable integrity and known
data protection as may be necessary; probity, and a recognized expert in the field of
information technology and data privacy. The
(n) Ensure proper and effective coordination
Privacy Commissioner shall enjoy the benefits,
with data privacy regulators in other countries
privileges and emoluments equivalent to the
and private accountability agents, participate in
rank of Secretary.
international and regional initiatives for data
privacy protection; The Deputy Privacy Commissioners must be
recognized experts in the field of information
(o) Negotiate and contract with other data
and communications technology and data
privacy authorities of other countries for
privacy. They shall enjoy the benefits,
cross-border application and implementation of
privileges and emoluments equivalent to the
respective privacy laws;
rank of Undersecretary.
(p) Assist Philippine companies doing business
The Privacy Commissioner, the Deputy
abroad to respond to foreign privacy or data
Commissioners, or any person acting on their
protection laws and regulations; and
behalf or under their direction, shall not be
(q) Generally perform such acts as may be civilly liable for acts done in good faith in the
necessary to facilitate cross-border performance of their duties. However, he or
enforcement of data privacy protection. she shall be liable for willful or negligent acts
done by him or her which are contrary to law, collection, and later processed in a way
morals, public policy and good customs even if compatible with such declared, specified and
he or she acted under orders or instructions of legitimate purposes only;
superiors: Provided, That in case a lawsuit is
filed against such official on the subject of the (b) Processed fairly and lawfully;
performance of his or her duties, where such
(c) Accurate, relevant and, where necessary
performance is lawful, he or she shall be
for purposes for which it is to be used the
reimbursed by the Commission for reasonable
processing of personal information, kept up to
costs of litigation.
date; inaccurate or incomplete data must be
SEC. 10. The Secretariat. – The Commission rectified, supplemented, destroyed or their
is hereby authorized to establish a Secretariat. further processing restricted;
Majority of the members of the Secretariat
(d) Adequate and not excessive in relation to
must have served for at least five (5) years in
the purposes for which they are collected and
any agency of the government that is involved
processed;
in the processing of personal information
including, but not limited to, the following (e) Retained only for as long as necessary for
offices: Social Security System (SSS), the fulfillment of the purposes for which the
Government Service Insurance System data was obtained or for the establishment,
(GSIS), Land Transportation Office (LTO), exercise or defense of legal claims, or for
Bureau of Internal Revenue (BIR), Philippine legitimate business purposes, or as provided
Health Insurance Corporation (PhilHealth), by law; and
Commission on Elections (COMELEC),
Department of Foreign Affairs (DFA), (f) Kept in a form which permits identification of
Department of Justice (DOJ), and Philippine data subjects for no longer than is necessary
Postal Corporation (Philpost). for the purposes for which the data were
collected and processed: Provided, That
Back To Top personal information collected for other
purposes may lie processed for historical,
CHAPTER III PROCESSING OF PERSONAL
statistical or scientific purposes, and in cases
INFORMATION
laid down in law may be stored for longer
SEC. 11. General Data Privacy Principles. – periods: Provided, further,That adequate
The processing of personal information shall safeguards are guaranteed by said laws
be allowed, subject to compliance with the authorizing their processing.
requirements of this Act and other laws
The personal information controller must
allowing disclosure of information to the public
ensure implementation of personal information
and adherence to the principles of
processing principles set out herein.
transparency, legitimate purpose and
proportionality. SEC. 12. Criteria for Lawful Processing of
Personal Information. – The processing of
Personal information must, be:,
personal information shall be permitted only if
(a) Collected for specified and legitimate not otherwise prohibited by law, and when at
purposes determined and declared before, or least one of the following conditions exists:
as soon as reasonably practicable after
(a) The data subject has given his or her That such regulatory enactments guarantee
consent; the protection of the sensitive personal
information and the privileged information:
(b) The processing of personal information is Provided, further, That the consent of the data
necessary and is related to the fulfillment of a subjects are not required by law or regulation
contract with the data subject or in order to permitting the processing of the sensitive
take steps at the request of the data subject personal information or the privileged
prior to entering into a contract; information;

(c) The processing is necessary for compliance (c) The processing is necessary to protect the
with a legal obligation to which the personal life and health of the data subject or another
information controller is subject; person, and the data subject is not legally or
physically able to express his or her consent
(d) The processing is necessary to protect
prior to the processing;
vitally important interests of the data subject,
including life and health; (d) The processing is necessary to achieve the
lawful and noncommercial objectives of public
(e) The processing is necessary in order to
organizations and their associations: Provided,
respond to national emergency, to comply with
That such processing is only confined and
the requirements of public order and safety, or
related to the bona fide members of these
to fulfill functions of public authority which
organizations or their associations: Provided,
necessarily includes the processing of personal
further, That the sensitive personal information
data for the fulfillment of its mandate; or
are not transferred to third parties: Provided,
(f) The processing is necessary for the finally, That consent of the data subject was
purposes of the legitimate interests pursued by obtained prior to processing;
the personal information controller or by a third
(e) The processing is necessary for purposes
party or parties to whom the data is disclosed,
of medical treatment, is carried out by a
except where such interests are overridden by
medical practitioner or a medical treatment
fundamental rights and freedoms of the data
institution, and an adequate level of protection
subject which require protection under the
of personal information is ensured; or
Philippine Constitution.
(f) The processing concerns such personal
SEC. 13. Sensitive Personal Information and
information as is necessary for the protection
Privileged Information. – The processing of
of lawful rights and interests of natural or legal
sensitive personal information and privileged
persons in court proceedings, or the
information shall be prohibited, except in the
establishment, exercise or defense of legal
following cases:
claims, or when provided to government or
(a) The data subject has given his or her public authority.
consent, specific to the purpose prior to the
SEC. 14. Subcontract of Personal Information.
processing, or in the case of privileged
– A personal information controller may
information, all parties to the exchange have
subcontract the processing of personal
given their consent prior to processing;
information: Provided, That the personal
(b) The processing of the same is provided for information controller shall be responsible for
by existing laws and regulations: Provided, ensuring that proper safeguards are in place to
ensure the confidentiality of the personal (5) Methods utilized for automated access, if
information processed, prevent its use for the same is allowed by the data subject, and
unauthorized purposes, and generally, comply the extent to which such access is authorized;
with the requirements of this Act and other
laws for processing of personal information. (6) The identity and contact details of the
The personal information processor shall personal information controller or its
comply with all the requirements of this Act and representative;
other applicable laws.
(7) The period for which the information will be
SEC. 15. Extension of Privileged stored; and
Communication. – Personal information
(8) The existence of their rights, i.e., to access,
controllers may invoke the principle of
correction, as well as the right to lodge a
privileged communication over privileged
complaint before the Commission.
information that they lawfully control or
process. Subject to existing laws and Any information supplied or declaration made
regulations, any evidence gathered on to the data subject on these matters shall not
privileged information is inadmissible. be amended without prior notification of data
subject: Provided, That the notification under
Back To Top
subsection (b) shall not apply should the
CHAPTER IV RIGHTS OF THE DATA personal information be needed pursuant to a
SUBJECT subpoena or when the collection and
processing are for obvious purposes, including
SEC. 16. Rights of the Data Subject. – The when it is necessary for the performance of or
data subject is entitled to: in relation to a contract or service or when
necessary or desirable in the context of an
(a) Be informed whether personal information employer-employee relationship, between the
pertaining to him or her shall be, are being or collector and the data subject, or when the
have been processed; information is being collected and processed
as a result of legal obligation;
(b) Be furnished the information indicated
hereunder before the entry of his or her (c) Reasonable access to, upon demand, the
personal information into the processing following:
system of the personal information controller,
or at the next practical opportunity: (1) Contents of his or her personal information
that were processed;
(1) Description of the personal information to
be entered into the system; (2) Sources from which personal information
were obtained;
(2) Purposes for which they are being or are to
be processed; (3) Names and addresses of recipients of the
personal information;
(3) Scope and method of the personal
information processing; (4) Manner by which such data were
processed;
(4) The recipients or classes of recipients to
whom they are or may be disclosed;
(5) Reasons for the disclosure of the personal false, unlawfully obtained or unauthorized use
information to recipients; of personal information.

(6) Information on automated processes where SEC. 17. Transmissibility of Rights of the Data
the data will or likely to be made as the sole Subject. – The lawful heirs and assigns of the
basis for any decision significantly affecting or data subject may invoke the rights of the data
will affect the data subject; subject for, which he or she is an heir or
assignee at any time after the death of the data
(7) Date when his or her personal information subject or when the data subject is
concerning the data subject were last incapacitated or incapable of exercising the
accessed and modified; and rights as enumerated in the immediately
preceding section.
(8) The designation, or name or identity and
address of the personal information controller; SEC. 18. Right to Data Portability. – The data
subject shall have the right, where personal
(d) Dispute the inaccuracy or error in the
information is processed by electronic means
personal information and have the personal
and in a structured and commonly used format,
information controller correct it immediately
to obtain from the personal information
and accordingly, unless the request is
controller a copy of data undergoing
vexatious or otherwise unreasonable. If the
processing in an electronic or structured
personal information have been corrected, the
format, which is commonly used and allows for
personal information controller shall ensure the
further use by the data subject. The
accessibility of both the new and the retracted
Commission may specify the electronic format
information and the simultaneous receipt of the
referred to above, as well as the technical
new and the retracted information by recipients
standards, modalities and procedures for their
thereof: Provided, That the third parties who
transfer.
have previously received such processed
personal information shall he informed of its SEC. 19. Non-Applicability. – The immediately
inaccuracy and its rectification upon preceding sections are not applicable if the
reasonable request of the data subject; processed personal information are used only
for the needs of scientific and statistical
(e) Suspend, withdraw or order the blocking,
research and, on the basis of such, no
removal or destruction of his or her personal
activities are carried out and no decisions are
information from the personal information
taken regarding the data subject: Provided,
controller’s filing system upon discovery and
That the personal information shall be held
substantial proof that the personal information
under strict confidentiality and shall be used
are incomplete, outdated, false, unlawfully
only for the declared purpose. Likewise, the
obtained, used for unauthorized purposes or
immediately preceding sections are not
are no longer necessary for the purposes for
applicable to processing of personal
which they were collected. In this case, the
information gathered for the purpose of
personal information controller may notify third
investigations in relation to any criminal,
parties who have previously received such
administrative or tax liabilities of a data subject.
processed personal information; and
Back To Top
(f) Be indemnified for any damages sustained
due to such inaccurate, incomplete, outdated,
CHAPTER V SECURITY OF PERSONAL security incidents that can lead to a security
INFORMATION breach; and

SEC. 20. Security of Personal Information. – (4) Regular monitoring for security breaches
(a) The personal information controller must and a process for taking preventive, corrective
implement reasonable and appropriate and mitigating action against security incidents
organizational, physical and technical that can lead to a security breach.
measures intended for the protection of
personal information against any accidental or (d) The personal information controller must
unlawful destruction, alteration and disclosure, further ensure that third parties processing
as well as against any other unlawful personal information on its behalf shall
processing. implement the security measures required by
this provision.
(b) The personal information controller shall
implement reasonable and appropriate (e) The employees, agents or representatives
measures to protect personal information of a personal information controller who are
against natural dangers such as accidental involved in the processing of personal
loss or destruction, and human dangers such information shall operate and hold personal
as unlawful access, fraudulent misuse, information under strict confidentiality if the
unlawful destruction, alteration and personal information are not intended for public
contamination. disclosure. This obligation shall continue even
after leaving the public service, transfer to
(c) The determination of the appropriate level another position or upon termination of
of security under this section must take into employment or contractual relations.
account the nature of the personal information
to be protected, the risks represented by the (f) The personal information controller shall
processing, the size of the organization and promptly notify the Commission and affected
complexity of its operations, current data data subjects when sensitive personal
privacy best practices and the cost of security information or other information that may,
implementation. Subject to guidelines as the under the circumstances, be used to enable
Commission may issue from time to time, the identity fraud are reasonably believed to have
measures implemented must include: been acquired by an unauthorized person, and
the personal information controller or the
(1) Safeguards to protect its computer network Commission believes that such unauthorized
against accidental, unlawful or unauthorized acquisition is likely to give rise to a real risk of
usage or interference with or hindering of their serious harm to any affected data subject. The
functioning or availability; notification shall at least describe the nature of
the breach, the sensitive personal information
(2) A security policy with respect to the possibly involved, and the measures taken by
processing of personal information; the entity to address the breach. Notification
may be delayed only to the extent necessary to
(3) A process for identifying and accessing
determine the scope of the breach, to prevent
reasonably foreseeable vulnerabilities in its
further disclosures, or to restore reasonable
computer networks, and for taking preventive,
integrity to the information and communications
corrective and mitigating action against
system.
(1) In evaluating if notification is unwarranted, CHAPTER VII SECURITY OF SENSITIVE
the Commission may take into account PERSONAL INFORMATION IN
compliance by the personal information GOVERNMENT
controller with this section and existence of
good faith in the acquisition of personal SEC. 22. Responsibility of Heads of Agencies.
information. – All sensitive personal information maintained
by the government, its agencies and
(2) The Commission may exempt a personal instrumentalities shall be secured, as far as
information controller from notification where, practicable, with the use of the most
in its reasonable judgment, such notification appropriate standard recognized by the
would not be in the public interest or in the information and communications technology
interests of the affected data subjects. industry, and as recommended by the
Commission. The head of each government
(3) The Commission may authorize agency or instrumentality shall be responsible
postponement of notification where it may for complying with the security requirements
hinder the progress of a criminal investigation mentioned herein while the Commission shall
related to a serious breach. monitor the compliance and may recommend
the necessary action in order to satisfy the
Back To Top
minimum standards.
CHAPTER VI ACCOUNTABILITY FOR
SEC. 23. Requirements Relating to Access by
TRANSFER OF PERSONAL INFORMATION
Agency Personnel to Sensitive Personal
SEC. 21. Principle of Accountability. – Each Information. – (a) On-site and Online Access –
personal information controller is responsible Except as may be allowed through guidelines
for personal information under its control or to be issued by the Commission, no employee
custody, including information that have been of the government shall have access to
transferred to a third party for processing, sensitive personal information on government
whether domestically or internationally, subject property or through online facilities unless the
to cross-border arrangement and cooperation. employee has received a security clearance
from the head of the source agency.
(a) The personal information controller is
accountable for complying with the (b) Off-site Access – Unless otherwise
requirements of this Act and shall use provided in guidelines to be issued by the
contractual or other reasonable means to Commission, sensitive personal information
provide a comparable level of protection while maintained by an agency may not be
the information are being processed by a third transported or accessed from a location off
party. government property unless a request for such
transportation or access is submitted and
(b) The personal information controller shall approved by the head of the agency in
designate an individual or individuals who are accordance with the following guidelines:
accountable for the organization’s compliance
with this Act. The identity of the individual(s) so (1) Deadline for Approval or Disapproval – In
designated shall be made known to any data the case of any request submitted to the head
subject upon request. of an agency, such head of the agency shall
approve or disapprove the request within two
Back To Top (2) business days after the date of submission
of the request. In case there is no action by the (Php2,000,000.00) shall be imposed on
head of the agency, then such request is persons who process personal information
considered disapproved; without the consent of the data subject, or
without being authorized under this Act or any
(2) Limitation to One thousand (1,000) Records existing law.
– If a request is approved, the head of the
agency shall limit the access to not more than (b) The unauthorized processing of personal
one thousand (1,000) records at a time; and sensitive information shall be penalized by
imprisonment ranging from three (3) years to
(3) Encryption – Any technology used to store, six (6) years and a fine of not less than Five
transport or access sensitive personal hundred thousand pesos (Php500,000.00) but
information for purposes of off-site access not more than Four million pesos
approved under this subsection shall be (Php4,000,000.00) shall be imposed on
secured by the use of the most secure persons who process personal information
encryption standard recognized by the without the consent of the data subject, or
Commission. without being authorized under this Act or any
existing law.
The requirements of this subsection shall be
implemented not later than six (6) months after SEC. 26. Accessing Personal Information and
the date of the enactment of this Act. Sensitive Personal Information Due to
Negligence. – (a) Accessing personal
SEC. 24. Applicability to Government
information due to negligence shall be
Contractors. – In entering into any contract that
penalized by imprisonment ranging from one
may involve accessing or requiring sensitive
(1) year to three (3) years and a fine of not less
personal information from one thousand
than Five hundred thousand pesos
(1,000) or more individuals, an agency shall
(Php500,000.00) but not more than Two million
require a contractor and its employees to
pesos (Php2,000,000.00) shall be imposed on
register their personal information processing
persons who, due to negligence, provided
system with the Commission in accordance
access to personal information without being
with this Act and to comply with the other
authorized under this Act or any existing law.
provisions of this Act including the immediately
preceding section, in the same manner as (b) Accessing sensitive personal information
agencies and government employees comply due to negligence shall be penalized by
with such requirements. imprisonment ranging from three (3) years to
six (6) years and a fine of not less than Five
Back To Top
hundred thousand pesos (Php500,000.00) but
CHAPTER VIII PENALTIES not more than Four million pesos
(Php4,000,000.00) shall be imposed on
SEC. 25. Unauthorized Processing of Personal persons who, due to negligence, provided
Information and Sensitive Personal access to personal information without being
Information. – (a) The unauthorized processing authorized under this Act or any existing law.
of personal information shall be penalized by
imprisonment ranging from one (1) year to SEC. 27. Improper Disposal of Personal
three (3) years and a fine of not less than Five Information and Sensitive Personal
hundred thousand pesos (Php500,000.00) but Information. – (a) The improper disposal of
not more than Two million pesos personal information shall be penalized by
imprisonment ranging from six (6) months to pesos (Php2,000,000.00) shall be imposed on
two (2) years and a fine of not less than One persons processing sensitive personal
hundred thousand pesos (Php100,000.00) but information for purposes not authorized by the
not more than Five hundred thousand pesos data subject, or otherwise authorized under
(Php500,000.00) shall be imposed on persons this Act or under existing laws.
who knowingly or negligently dispose, discard
or abandon the personal information of an SEC. 29. Unauthorized Access or Intentional
individual in an area accessible to the public or Breach. – The penalty of imprisonment ranging
has otherwise placed the personal information from one (1) year to three (3) years and a fine
of an individual in its container for trash of not less than Five hundred thousand pesos
collection. (Php500,000.00) but not more than Two million
pesos (Php2,000,000.00) shall be imposed on
(b) The improper disposal of sensitive personal persons who knowingly and unlawfully, or
information shall be penalized by imprisonment violating data confidentiality and security data
ranging from one (1) year to three (3) years systems, breaks in any way into any system
and a fine of not less than One hundred where personal and sensitive personal
thousand pesos (Php100,000.00) but not more information is stored.
than One million pesos (Php1,000,000.00)
shall be imposed on persons who knowingly or SEC. 30. Concealment of Security Breaches
negligently dispose, discard or abandon the Involving Sensitive Personal Information. – The
personal information of an individual in an area penalty of imprisonment of one (1) year and six
accessible to the public or has otherwise (6) months to five (5) years and a fine of not
placed the personal information of an individual less than Five hundred thousand pesos
in its container for trash collection. (Php500,000.00) but not more than One million
pesos (Php1,000,000.00) shall be imposed on
SEC. 28. Processing of Personal Information persons who, after having knowledge of a
and Sensitive Personal Information for security breach and of the obligation to notify
Unauthorized Purposes. – The processing of the Commission pursuant to Section 20(f),
personal information for unauthorized purposes intentionally or by omission conceals the fact of
shall be penalized by imprisonment ranging such security breach.
from one (1) year and six (6) months to five (5)
years and a fine of not less than Five hundred SEC. 31. Malicious Disclosure. – Any personal
thousand pesos (Php500,000.00) but not more information controller or personal information
than One million pesos (Php1,000,000.00) processor or any of its officials, employees or
shall be imposed on persons processing agents, who, with malice or in bad faith,
personal information for purposes not discloses unwarranted or false information
authorized by the data subject, or otherwise relative to any personal information or personal
authorized under this Act or under existing sensitive information obtained by him or her,
laws. shall be subject to imprisonment ranging from
one (1) year and six (6) months to five (5)
The processing of sensitive personal years and a fine of not less than Five hundred
information for unauthorized purposes shall be thousand pesos (Php500,000.00) but not more
penalized by imprisonment ranging from two than One million pesos (Php1,000,000.00).
(2) years to seven (7) years and a fine of not
less than Five hundred thousand pesos SEC. 32. Unauthorized Disclosure. – (a) Any
(Php500,000.00) but not more than Two million personal information controller or personal
information processor or any of its officials, 27 and 28 of this Act, he or she shall, in
employees or agents, who discloses to a third addition to the penalties prescribed herein,
party personal information not covered by the suffer perpetual or temporary absolute
immediately preceding section without the disqualification from office, as the case may be.
consent of the data subject, shall he subject to
imprisonment ranging from one (1) year to SEC. 35. Large-Scale. – The maximum penalty
three (3) years and a fine of not less than Five in the scale of penalties respectively provided
hundred thousand pesos (Php500,000.00) but for the preceding offenses shall be imposed
not more than One million pesos when the personal information of at least one
(Php1,000,000.00). hundred (100) persons is harmed, affected or
involved as the result of the above mentioned
(b) Any personal information controller or actions.
personal information processor or any of its
officials, employees or agents, who discloses SEC. 36. Offense Committed by Public Officer.
to a third party sensitive personal information – When the offender or the person responsible
not covered by the immediately preceding for the offense is a public officer as defined in
section without the consent of the data subject, the Administrative Code of the Philippines in
shall be subject to imprisonment ranging from the exercise of his or her duties, an accessory
three (3) years to five (5) years and a fine of penalty consisting in the disqualification to
not less than Five hundred thousand pesos occupy public office for a term double the term
(Php500,000.00) but not more than Two million of criminal penalty imposed shall he applied.
pesos (Php2,000,000.00).
SEC. 37. Restitution. – Restitution for any
SEC. 33. Combination or Series of Acts. – Any aggrieved party shall be governed by the
combination or series of acts as defined in provisions of the New Civil Code.
Sections 25 to 32 shall make the person
Back To Top
subject to imprisonment ranging from three (3)
years to six (6) years and a fine of not less CHAPTER IX MISCELLANEOUS
than One million pesos (Php1,000,000.00) but PROVISIONS
not more than Five million pesos
(Php5,000,000.00). SEC. 38. Interpretation. – Any doubt in the
interpretation of any provision of this Act shall
SEC. 34. Extent of Liability. – If the offender is be liberally interpreted in a manner mindful of
a corporation, partnership or any juridical the rights and interests of the individual about
person, the penalty shall be imposed upon the whom personal information is processed.
responsible officers, as the case may be, who
participated in, or by their gross negligence, SEC. 39. Implementing Rules and Regulations
allowed the commission of the crime. If the (IRR). – Within ninety (90) days from the
offender is a juridical person, the court may effectivity of this Act, the Commission shall
suspend or revoke any of its rights under this promulgate the rules and regulations to
Act. If the offender is an alien, he or she shall, effectively implement the provisions of this Act.
in addition to the penalties herein prescribed,
be deported without further proceedings after SEC. 40. Reports and Information. – The
serving the penalties prescribed. If the offender Commission shall annually report to the
is a public official or employee and lie or she is President and Congress on its activities in
found guilty of acts penalized under Sections carrying out the provisions of this Act. The
Commission shall undertake whatever efforts it SEC. 45. Effectivity Clause. – This Act shall
may determine to be necessary or appropriate take effect fifteen (15) days after its publication
to inform and educate the public of data in at least two (2) national newspapers of
privacy, data protection and fair information general circulation.
rights and responsibilities.
Approved,
SEC. 41. Appropriations Clause. – The
Commission shall be provided with an initial (Sgd.) FELICIANO (Sgd.) JUAN
appropriation of Twenty million pesos BELMONTE JR. PONCE ENRILE
(Php20,000,000.00) to be drawn from the Speaker of the House President of the
national government. Appropriations for the of Representatives Senate
succeeding years shall be included in the
This Act which is a consolidation of Senate Bill
General Appropriations Act. It shall likewise
No. 2965 and House Bill No. 4115 was finally
receive Ten million pesos (Php10,000,000.00)
passed by the Senate and the House of
per year for five (5) years upon implementation
Representatives on June 6, 2012.
of this Act drawn from the national government.

SEC. 42. Transitory Provision. – Existing (Sgd.) MARILYN B. (Sgd.) EMMA

industries, businesses and offices affected by BARUA-YAP LIRIO-REYES
the implementation of this Act shall be given Secretary General Secretary of the
one (1) year transitory period from the House of Senate
effectivity of the IRR or such other period as Representatives
may be determined by the Commission, to Approved: AUG 15 2012
comply with the requirements of this Act.
(Sgd.) BENIGNO S. AQUINO III
In case that the DICT has not yet been created
President of the Philippines
by the time the law takes full force and effect,
the National Privacy Commission shall be
attached to the Office of the President.

SEC. 43. Separability Clause. – If any

provision or part hereof is held invalid or
unconstitutional, the remainder of the law or
the provision not otherwise affected shall
remain valid and subsisting.

SEC. 44. Repealing Clause. – The provision of

Section 7 of Republic Act No. 9372, otherwise
known as the “Human Security Act of 2007”, is
hereby amended. Except as otherwise
expressly provided in this Act, all other laws,
decrees, executive orders, proclamations and
administrative regulations or parts thereof
inconsistent herewith are hereby repealed or
modified accordingly.