lOMoARcPSD|31303686

RA 10173 Data Privacy Act of 2012: Key Provisions and

Implications
Regulatory Framework and Legal Issues in Business (Polytechnic University of the
Philippines)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Ma. Beatriz (mabeacaro2004@gmail.com)
 lOMoARcPSD|31303686

RA 10173 - DATA PRIVACY ACT OF 2012 proceedings, or the sentence of any court in such
“AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION proceedings;
IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE ○​ (3) Issued by government agencies peculiar to an
GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR individual which includes, but not limited to, social
THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR security numbers, previous or current health
OTHER PURPOSES” records, licenses or its denials, suspension or
➔​ August 15, 2012 the Data Privacy Act was passed revocation, and tax returns; and
➔​ Took effect on September 9, 2016 ○​ (4) Specifically established by an executive order or
➔​ A comprehensive and strict privacy legislation an act of Congress to be kept classified.
➔​ Regulates the processing of personal data/information ●​ Privileged information – any and all forms of data which
➔​ Ensures that the Philippines complies with international under the Rules of Court and other pertinent laws constitute
standards with the help of National Privacy Commission privileged communication.
(which was constituted in 2016) ○​ Lawyer-client
○​ Doctor-patient
THE TWO-FOLD MANDATE OF DPA ○​ Husband or wife cannot testify against one another
“To protect the fundamental human right of privacy, of communication without consent on any communication received by
while ensuring free flow of information to promote innovation and either in confidence
growth” (Sec. 2) ○​ Priest-Person
1.​ Protect the fundamental human right of privacy ○​ Public officer given information in official confidence
2.​ Ensuring free flow of information ●​ Processing – any operation or any set of operations
performed upon personal information including, but not
RIGHT TO PRIVACY limited to, the collection, recording, organization, storage,
➔​ Not expressly but impliedly provided in the Constitution updating or modification, retrieval, consultation, use,
➔​ While “right to privacy” is not stated as one of the consolidation, blocking, erasure or destruction of data.
fundamental rights, it can be inferred from several provisions
of the Constitution Three (3) principles to be adhered to in the processing of
➔​ The right to privacy is one of the most threatened rights data:
of man living in a mass society 1.​ Transparency — The data subject must be aware of the
◆​ These threats emanate from various sources – nature, purpose, and extent of the processing of his or her
governments, journalists, employers, social personal data, including the risks and safeguards involved,
scientists,etc. the identity of personal information controller, his or her rights
as a data subject, and how these can be exercised. Any
PRIVACY OF COMMUNICATION information and communication relating to the processing of
1.​ The privacy of communication and correspondence shall be personal data should be easy to access and understand,
inviolable except upon lawful order of the court, or when using clear and plain language (Rule IV, Sec. 17(a), IRR-R.A.
public safety or order requires otherwise, as prescribed by 10173).
the law ●​ Consent – data subject agrees to the collection and
2.​ Any evidence obtained in violation of this or the preceding processing of personal information
section shall be inadmissible for any purpose in any ○​ Freely given
proceeding (Sec. 3, Art. III, Constitution) ○​ Specific
○​ Informed indication of will
DEFINITION OF TERMS ●​ Privacy Policy – internal statement that governs an
●​ Personal information – any information whether recorded in organization or entity’s handling practices of
a material form or not, from which the identity of an individual personal information
is apparent or can be reasonably and directly ascertained by – directed at the users of personal information
the entity holding the information, or when put together with ●​ Privacy Policy – statement made to a data subject
other information would directly and certainly identify an that describes how the organization collects, uses,
individual. retains, and discloses personal information
○​ A person's name – directed to external stakeholders
○​ Their date of birth
○​ Their contact details, such as address, phone 2.​ Legitimate Purpose — The processing of information shall
number or email be compatible with a declared and specified purpose which
○​ Their bank account details must not be contrary to law, morals, or public policy
●​ Sensitive personal information refers to personal 3.​ Proportionality — The processing of information shall be
information: adequate, relevant, suitable, necessary, and not
○​ (1) About an individual’s race, ethnic origin, marital excessive in relation to a declared and specified
status, age, color, and religious, philosophical or purpose. Personal data shall be processed only if the
political affiliations; purpose of the processing could not reasonably be fulfilled by
○​ (2) About an individual’s health, education, genetic other means (Rule IV, Sec. 17(c), IRR-R.A. 10173).
or sexual life of a person, or to any proceeding for
any offense committed or alleged to have been In general it is prohibited to request and/or record sensitive
committed by such person, the disposal of such personal information.
Downloaded by Ma. Beatriz (mabeacaro2004@gmail.com)
 lOMoARcPSD|31303686

Exceptions: c.​ The entity has other links in the Philippines such as, but not
1.​ Consent - Where the person has given permission for the limited to:
information to be recorded. i.​ The entity carries on business in the Philippines;
2.​ Pursuant to law - Where the information is required by law and
and/or a court order expressly requests the information due ii.​ The personal information was collected or held by
to its relevance in a legal matter. an entity in the Philippines.
3.​ To Protect Life/Safety - Where the person is not able to
provide consent but the information is required to protect THE ACT DOES NOT APPLY TO THE FOLLOWING
their life/safety/health. Matters of Public Concern
A.​ Information about any individual who is or was an officer or
DPA ACTORS employee of a government institution that relates to the
●​ Data subject – an individual whose personal information is position or functions of the individual, including:
processed. a.​ The fact that the individual is or was an officer or
●​ National Privacy Commission – independent body employee of the government institution;
mandated to implement the Data Privacy Act and its b.​ The title, business address and office telephone
Implementing Rules and regulation. number of the individual;
●​ Personal information controller – a person or organization c.​ The classification, salary range and responsibilities
who controls the collection, holding, processing or use of of the position held by the individual; and
personal information, including a person or organization who d.​ The name of the individual on a document prepared
instructs another person or organization to collect, hold, by the individual in the course of employment with
process, use, transfer or disclose personal information on his the government;
or her behalf. The term excludes: B.​ Information about an individual who is or was performing
○​ (1) A person or organization who performs such service under contract for a government institution that
functions as instructed by another person or relates to the services performed, including the terms of the
organization; and contract, and the name of the individual given in the course
○​ (2) An individual who collects, holds, processes or of the performance of those services;
uses personal information in connection with the C.​ Information relating to any discretionary benefit of a financial
individual’s personal, family or household affairs. nature such as the granting of a license or permit given by
●​ Personal information processor – any natural or juridical the government to an individual, including the name of the
person qualified to act to whom a personal information individual and the exact nature of the benefit;
controller may outsource the processing of personal data
pertaining to a data subject. D.​ Personal information processed for journalistic, artistic,
literary or research purposes;
E.​ Information necessary in order to carry out the functions of
SCOPE OF APPLICATION public authority which includes the processing of personal
➔​ applies to the processing of all types of personal information data for the performance by the independent, central
and to any natural and juridical person involved in personal monetary authority and law enforcement and regulatory
information processing including those personal information agencies of their constitutionally and statutorily mandated
controllers and processors who, although not found or functions.
established in the Philippines, use equipment that are F.​ Information necessary for banks and other financial
located in the Philippines, or those who maintain an office, institutions under the jurisdiction of the independent, central
branch or agency in the Philippines monetary authority or Bangko Sentral ng Pilipinas to comply
with Republic Act No. 9510, and Republic Act No. 9160, as
EXTRATERRITORIAL APPLICATION amended, otherwise known as the Anti-Money Laundering
Applies to an act done or practice engaged in and outside of the Act and other applicable laws; and
Philippines by an entity if: G.​ Personal information originally collected from residents of
a.​ The act, practice or processing relates to personal foreign jurisdictions in accordance with the laws of those
information about a Philippine citizen or a resident; foreign jurisdictions, including any applicable data privacy
b.​ The entity has a link with the Philippines, and the entity is laws, which is being processed in the Philippines.
processing personal information in the Philippines or even if
the processing is outside the Philippines as long as it is
about Philippine citizens or residents such as, but not limited RIGHTS OF DATA SUBJECT
to, the following: 1.​ Right to information – (sec A) Be informed whether
i.​ A contract is entered in the Philippines; personal information pertaining to him or her shall be, are
ii.​ A juridical entity unincorporated in the Philippines being or have been processed;
but has central management and control in the
country; and (sec B) Be furnished the information indicated hereunder
iii.​ An entity that has a branch, agency, office or before the entry of his or her personal information into the
subsidiary in the Philippines and the parent or processing system of the personal information controller, or
affiliate of the Philippine entity has access to at the next practical opportunity:
personal information; and 1.​ Description of the personal information to be
entered into the system;
Downloaded by Ma. Beatriz (mabeacaro2004@gmail.com)
 lOMoARcPSD|31303686

2.​ Purposes for which they are being or are to be 6. Right to Data Portability. – The data subject shall have the right,
processed; where personal information is processed by electronic means and
3.​ Scope and method of the personal information in a structured and commonly used format, to obtain from the
processing; personal information controller a copy of data undergoing
4.​ The recipients or classes of recipients to whom they processing in an electronic or structured format, which is commonly
are or may be disclosed; used and allows for further use by the data subject. The
5.​ Methods utilized for automated access, if the same Commission may specify the electronic format referred to above, as
is allowed by the data subject, and the extent to well as the technical standards, modalities and procedures for their
which such access is authorized; transfer.
6.​ The identity and contact details of the personal
information controller or its representative; Non-Applicability of the Rights – The immediately preceding
7.​ The period for which the information will be stored; sections are not applicable if the processed personal information are
and used only for the needs of scientific and statistical research and,
8.​ The existence of their rights, i.e., to access, on the basis of such, no activities are carried out and no decisions
correction, as well as the right to lodge a complaint are taken regarding the data subject. Provided, That the personal
before the Commission. information shall be held under strict confidentiality and shall be
used only for the declared purpose
2. Right to Access – (sec C) Reasonable access to, upon demand,
the following: Security of Personal Information
1.​ Contents of his or her personal information that were Personal information controllers must implement appropriate
processed; organizational, physical, and technical safeguards to protect personal
2.​ Sources from which personal information were obtained; data from accidental or unlawful threats, such as destruction,
3.​ Names and addresses of recipients of the personal alteration, disclosure, loss, and unauthorized access or use.
information; ●​ Risk-based Security Measures: Security must align with
4.​ Manner by which such data were processed; the sensitivity of the data, processing risks, organizational
5.​ Reasons for the disclosure of the personal information to size and complexity, best practices, and implementation
recipients; costs.
6.​ Information on automated processes where the data will or ●​ Mandatory Safeguards: These include network protection,
likely to be made as the sole basis for any decision security policies, vulnerability assessment and response
significantly affecting or will affect the data subject; processes, and regular monitoring for breaches.
7.​ Date when his or her personal information concerning the ●​ Third-party Compliance: Contractors or partners handling
data subject were last accessed and modified; and data must follow the same security standards.
8.​ The designation, or name or identity and address of the ●​ Confidentiality: Employees and agents must maintain data
personal information controller; confidentiality, even after ending their roles.
●​ Breach Notification: The controller must notify both the
3. Right to object / correct / rectify – (sec D) Dispute the Commission and affected individuals when sensitive data is
inaccuracy or error in the personal information and have the personal accessed without authorization and poses a risk of serious
information controller correct it immediately and accordingly, unless harm. The notice must detail the breach and mitigation steps.
the request is vexatious or otherwise unreasonable. If the personal ●​ Exemptions & Delays: Notification can be delayed or
information have been corrected, the personal information controller exempted based on public interest, investigation integrity, or
shall ensure the accessibility of both the new and the retracted good faith acquisition, as assessed by the Commission.
information and the simultaneous receipt of the new and the retracted
information by recipients thereof: Provided, That the third parties who Penalty provisions:
have previously received such processed personal information shall 1.​ SEC. 25 – Unauthorized Processing
he informed of its inaccuracy and its rectification upon reasonable Description: Penalizes individuals who process personal or
request of the data subject; sensitive personal information without proper consent or
legal basis.
4. Right to erase – Suspend, withdraw or order the blocking, Penalty:
removal or destruction of his or her personal information from the ●​ Personal info: 1–3 years imprisonment +
personal information controller’s filing system upon discovery and ₱500,000–₱2,000,000 fine
substantial proof that the personal information are incomplete, ●​ Sensitive info: 3–6 years imprisonment +
outdated, false, unlawfully obtained, used for unauthorized purposes ₱500,000–₱4,000,000 fine
or are no longer necessary for the purposes for which they were 2.​ SEC. 26 – Access Due to Negligence
collected. In this case, the personal information controller may notify Description: Applies to negligent handling that results in
third parties who have previously received such processed personal unauthorized access to personal or sensitive data.
information; and Penalty:
●​ Personal info: 1–3 years imprisonment +
5. Right for Damages and to File a Complaint – Be indemnified for ₱500,000–₱2,000,000 fine
any damages sustained due to such inaccurate, incomplete, outdated, ●​ Sensitive info: 3–6 years imprisonment +
false, unlawfully obtained or unauthorized use of personal information. ₱500,000–₱4,000,000 fine
3.​ SEC. 27 – Improper Disposal

Downloaded by Ma. Beatriz (mabeacaro2004@gmail.com)

 lOMoARcPSD|31303686

Description: Penalizes the negligent or intentional public 11.​ SEC. 36 – Offense by Public Officer
disposal of personal or sensitive information. Description: Imposes an additional penalty of
Penalty: disqualification from public office, for twice the term of
●​ Personal info: 6 months–2 years imprisonment + imprisonment, if the offender is a public official.
₱100,000–₱500,000 fine
●​ Sensitive info: 1–3 years imprisonment + 12.​ SEC. 37 – Restitution
₱100,000–₱1,000,000 fine Description: Allows affected individuals to seek
compensation under civil law (New Civil Code) for damages
4.​ SEC. 28 – Unauthorized Purpose suffered due to data privacy violations.
Description: Penalizes using personal or sensitive Extent of Liability. – liability is attached to the responsible
information for purposes not consented to or authorized by officers
law.
Penalty:
●​ Personal info: 1.5–5 years imprisonment +
₱500,000–₱1,000,000 fine
●​ Sensitive info: 2–7 years imprisonment +
₱500,000–₱2,000,000 fine

5.​ SEC. 29 – Unauthorized Access or Intentional Breach

Description: Addresses deliberate hacking or breaking into
data systems containing personal data.
Penalty: 1–3 years imprisonment + ₱500,000–₱2,000,000
fine

SEC. 30 – Concealment of Security Breaches

Description: Penalizes failure to report known data
breaches involving sensitive personal information.
Penalty: 1.5–5 years imprisonment + ₱500,000–₱1,000,000
fine

6.​ SEC. 31 – Malicious Disclosure

Description: Punishes individuals who disclose personal
data with malice or bad faith.
Penalty: 1.5–5 years imprisonment + ₱500,000–₱1,000,000
fine

7.​ SEC. 32 – Unauthorized Disclosure

Description: Covers disclosures made without malice but
still unauthorized (e.g., negligence or carelessness).
Penalty:
●​ Personal info: 1–3 years imprisonment +
₱500,000–₱1,000,000 fine
●​ Sensitive info: 3–5 years imprisonment +
₱500,000–₱2,000,000 fine

8.​ SEC. 33 – Combination or Series of Acts

Description: Imposes higher penalties when multiple
violations from Sections 25–32 are committed.
Penalty: 3–6 years imprisonment + ₱1,000,000–₱5,000,000
fine

9.​ SEC. 34 – Extent of Liability

Description: Clarifies who is liable when the offender is a
company, public official, or foreign national.
Penalty: Officers or individuals directly involved are liable;
entities can face suspension, and aliens may be deported.
Public officials face disqualification.

10.​ SEC. 35 – Large-Scale Offense

Description: Applies maximum penalties when 100 or more
individuals are affected by a data breach or violation.

Downloaded by Ma. Beatriz (mabeacaro2004@gmail.com)