Philippines - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act') is the first comprehensive law covering data privacy in the Philippines. It became enforceable on 8 September 2012. The National Privacy Commission ('NPC'), which was established in early 2016, later issuing the Implementing Rules and Regulations of Republic Act No. 10173 ('IRR'), which became enforceable on 9 September 2016. The IRR provides, in greater detail, the requirements that individuals and entities must comply with when processing personal data, as well as the sanctions for violations of the Act.
Moreover, the guidelines specify the procedures needed to carry out the correct process of pseudonymisation and anonymisation of data, including, how to prepare data for this process, the types of data to be extracted during the process, examining and determining whether re-identification after the process is possible, and create clear policies for individuals and entities that will handle such pseudonymised and anonymised data. In addition, the guidelines provide several theoretical and technical examples on how guidelines could be followed by personla information controller ('PIC') and personal information processors ('PIP') when handling pseudonymised and anonymised data.
The NPC has also issued the following circulars and advisories ('NPC Issuances'), which expand on the procedures for handling personal data:
- NPC Circular 16-01 Security of Personal Data in Government Agencies (10 October 2016) ('Circular 16-01');
- NPC Circular 16-02 Data Sharing Agreements Involving Government Agencies (10 October 2016) ('Circular 16-02');
- NPC Circular 16-03 Personal Data Breach Management (15 December 2016) ('Circular 16-03');
- NPC Circular 16-04 Rules of Procedure of the National Privacy Commission (15 December 2016) ('Circular 16-04');
- NPC Circular 17-01 Registration of Data Processing Systems and Notifications Regarding Automated Decision-Making (13 July 2017) ('Circular 17-01');
- NPC Advisory 2017-01 Designation of Data Protection Officers (14 March 2017) ('Advisory 17-01');
- NPC Advisory 2017-02 Access to Personal Data Sheets of Government Personnel (3 April 2017) ('Advisory 17-02');
- NPC Advisory 2017-03 Guidelines on Privacy Impact Assessments (31 July 2017) ('Advisory 17-03');
- NPC Circular 18-01 Rules of Procedure on Requests for Advisory Opinions (10 September 2018) ('Circular 18-01');
- NPC Circular 18-02 Guidelines on Compliance Checks (20 September 2018) ('Circular 18-02');
- NPC Circular 18-03 Rules on Mediation before the National Privacy Commission (18 December 2018) ('Circular 18-03');
- DOH-NPC Joint Memorandum Circular No. 2020-0001 – Guidelines on the Use of Telemedicine in COVID-19 Response;
- DOH-NPC Joint Memorandum Circular No. 2020-0002 – Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response (27 April 2020) (‘JMC 2020-0001’);
- NPC Advisory 18-01 Guidelines on Security Incident and Personal Data Breach Reportorial Requirements (14 June 2018) ('Advisory 18-01'); and
- NPC Advisory 18-02 Updated Templates on Security Incident and Personal Data Breach Reportorial Requirements (26 June 2018) ('Advisory 18-02').
Since its inception, the NPC has issued over 200 advisory opinions, which are responses to written requests or queries from data subjects, PIC, and PIP, covering a variety of data privacy topics/issues, including privacy violations, personal data breaches, personal data protection, and interpretations of the Act, the IRR, and other NPC issuances.
1.3. Case Law
Given the relatively short period since the implementation of data privacy laws in the Philippines, there has not been a decided case by the Supreme Court of the Philippines on the Act and the IRR.
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
The Act and its IRR apply to the processing of all types of personal information and to any natural and juridical person involved in personal information processing. This includes an act done or practice engaged in and outside of the Philippines by an entity if:
- the act, practice, or processing relates to personal information about a Philippine citizen or a resident;
- the entity has a link with the Philippines, and the entity is processing personal information in the Philippines, or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:
- a contract is entered in the Philippines;
- a juridical entity is unincorporated in the Philippines but has central management and control in the country; and
- an entity that has a branch, agency, office, or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and
- the entity has other links in the Philippines such as, but not limited to:
- the entity carries on business in the Philippines; and
- the personal information was collected or held by an entity in the Philippines.
2.2. What types of processing are covered/exempted?
The Act and IRR shall not apply to the following specified information, subject to the extent indicated under the law:
- information processed for purposes of allowing public access to information that falls within matters of public concern;
- personal information processed for journalistic, artistic, or literary purpose, in order to uphold freedom of speech, of expression, or of the press;
- personal information that will be processed for research purpose, intended for a public benefit;
- information necessary to carry out the functions of a public authority;
- information necessary for banks, other financial institutions under the jurisdiction of the Bangko Sentral ng Pilipinas, and other bodies authorised by law to the extent necessary to comply with the Republic Act No. 9510 Establishing the Credit Information System 2008 and the Republic Act No. 9160 on Anti-Money Laundering 2001 in the Philippines, and other applicable laws; and
- personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, which is being processed in the Philippines.
In addition, publishers, editors or duly accredited reporters of any newspaper, magazine, or periodical of general circulation are still bound to follow the Act and IRR, but are not compelled to reveal the source of any news report or information appearing in the publication if it was relayed in confidence to them.
Lawful Processing of Personal Information, Sensitive Personal Information, and Privileged Information
The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
- the data subject has given his or her consent;
- the processing of personal information is necessary and is related to the fulfilment of a contract with the data subject, or in order to take steps at the request of the data subject prior to entering into a contract;
- the processing is necessary for compliance with a legal obligation to which the PIC is subject;
- the processing is necessary to protect vitally important interests of the data subject, including life and health;
- the processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfil functions of public authority which necessarily include the processing of personal information for the fulfilment of its mandate; or
- the processing is necessary for the purposes of the legitimate interests pursued by the PIC or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
On the other hand, the processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:
- the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
- the processing of the same is provided for by existing laws and regulations provided that such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information, and provided further, that the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
- the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
- the processing is necessary to achieve the lawful and noncommercial objectives of public organisations and their associations provided that such processing is only confined and related to the bona fide members of these organisations or their associations, provided further, that the sensitive personal information are not transferred to third parties, and provided finally, that consent of the data subject was obtained prior to processing;
- the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured; or
- the processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defence of legal claims, or when provided to government or public authority.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
The NPC is the primary government agency tasked to implement and enforce the Philippines' data privacy laws.
3.2. Main powers, duties and responsibilities
The NPC is composed of three Privacy Commissioners and has the following functions; rulemaking, advisory, public education, compliance, and monitoring, the duty to adjudicate on complaints as well as investigations, enforcement, and other functions as may be necessary to fulfil its mandate under the Act.
Pursuant to its authority to compel any entity to abide by its orders on a matter of data privacy, the NPC has issued decisions, resolutions, and orders to various entities, which are published on its website.
The NPC has issued decisions on complaints of privacy violations, directing the concerned PIC to:
- revise its daily time record system and privacy impact assessment to reflect and address compliance gaps resulting in privacy risks that needed to be mitigated by reasonable and appropriate organisational, physical, and technical measures (NPC CID Case No. 17-K-003);
- submit the designation of Data Protection Officers/Compliance Officers, a copy of its Security Incident Management Policy, including documents demonstrating the creation of its Breach Response Team as well as the dissemination of the Security Incident Management Policy, and the complete Post-Breach Report on the management of a Personal Data Breach (NPC CID Case No. 17-002); and
- act on a request for correction, removal, and/or rectification of a data subject’s account, which had not been addressed, and provide assistance to the affected data subject to ensure that he is able to exercise his rights (CID No. 17-K-004).
The NPC has issued resolutions confirming that:
- PICs and PIPs that practice larger-scale and higher-risk type of processing are expected to provide data subjects with clear, concise, intelligible, and easy to understand information to guide and provide the data subjects with a clear picture and genuine choice about their use of their personal data to comply with the principle of transparency (NPC Case No. 17-001); and
- the on-site examination in the Rules of Procedures of the NPC is not mandatory, and is discretionary to the investigating officer (NPC Case No. 17-003).
The NPC has issued orders directing the concerned PIC to:
- notify all data subjects of an unauthorised online publication of the PIC's website database and to explain why further action should not be taken against the PIC for failure to notify the data subjects of the occurrence of a data breach within the required 72-hour period (Commission-Issued Order CIDBN No. 18-058 on Wendy’s Restaurant, Inc (PRO) Data Breach);
- suspend the PIC's food delivery website and to submit a security plan to address data privacy concerns discovered during a vulnerability assessment conducted by the NPC (Commission-Issued Order CIDBN No. 17-043 on Jollibee Foods Corporation);
- submit a comprehensive data breach notification report and to notify affected data subjects, in accordance with Circular 16-03, and to establish a help desk for Filipino users on data privacy matters (Commission-Issued Order CIDBN No. 18-J-162 on Facebook Forced Logout); and
- suspend the PIC’s pilot test and plans to roll out three new data processing systems because of deficiencies in the systems’ risk assessment and mitigation, insufficient privacy impact assessment and privacy notice, and the unclear purpose behind the data processing (NPC CC 20-001 In re: Grab Philippines).
4. KEY DEFINITIONS | BASIC CONCEPTS
Personal Data: Refers to all types of personal information, whereas 'personal information' is defined as any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Sensitive Data: Referred to as sensitive personal information under the Act, refers to personal information:
- regarding an individual's race, ethnic origin, marital status, age, colour and religious, philosophical or political affiliations;
- regarding an individual's health, education, the genetic or sexual life of a person, or to any proceeding for any offence committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation and tax returns; and
- specifically established by an executive order or an act of Congress to be kept classified.
Data Controller: PIC refers to a natural or juridical person or any other body who controls the processing of personal data or instructs another to process personal data on its behalf.
Data Processor: PIP refers to any natural or juridical person or any other body to whom a PIC may outsource or instruct the processing of personal data pertaining to a data subject.
Privileged Information: Refers to any and all forms of data which under the Philippine Rules of Court and other pertinent laws constitute privileged communication (e.g. information between client and lawyer) and is subject to similar rules on lawful processing which are applied to sensitive personal information.
Processing: Refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
The PIC and PIP shall register their data processing systems, defined as structures and procedures by which personal data is collected and further processed in an information and communications system or relevant filing system, with the NPC in the following instances:
- the PIC or PIP employs at least 250 employees;
- the processing includes sensitive personal information of at least 1,000 individuals;
- the processing is likely to pose a risk to the rights and freedoms of data subjects; or
- the processing is not occasional.
In Circular 17-01, however, registration of data processing systems with the NPC was made mandatory for all government bodies or entities, financial institutions, telecommunications networks, business process outsourcing companies, schools and training institutions, hospitals, insurance providers, direct marketing or networking business, and pharmaceutical companies engaged in research.
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
The IRR provides that a PIC shall be accountable for complying with the requirements of the Act, IRR, and NPC Issuances. Particularly, a PIC shall adhere to the principles of transparency, legitimate purpose, and proportionality; implement reasonable and appropriate organisational, physical, and technical security measures for the protection of personal data; and uphold the rights of data subjects. These security measures should ensure the availability, integrity, and confidentiality of the personal data being processed.
The PIC shall also be responsible for personal data under its control or custody, as well as personal data outsourced or transferred to a PIP or a third party for processing. Personal data is generally considered under a PIC’s control or custody even when the personal data is outsourced or transferred to a PIP or third party, whether domestically or internationally. Accordingly, it shall use contractual or other reasonable means to provide a level of protection to personal data comparable to the Act while personal data is being processed by a PIP or third party. The PIC shall likewise designate an individual or individuals who shall be accountable for compliance with the aforementioned.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
The PIP processes personal data on behalf of a PIC and only upon the documented instructions of the PIC, therefore it cannot process the personal data for its own purposes or engage another PIP without prior instruction from the PIC. However, the PIP has the obligation to immediately inform the PIC if, in its opinion, the PIC’s instruction infringes the Act, its IRR, or any other issuances of the NPC.
Similar to a PIC, the PIP shall uphold the rights of the data subject, and implement adequate organisational, physical, and technical security measures in relation to the personal data it processes.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
Agreements between PICs and PIPs may be in the form of data sharing agreements, or outsourcing, or subcontracting agreements.
Data sharing agreements refer to disclosures or transfers of personal data by PICs or PIPs to third parties. If such disclosure is made by a PIP, such must have been upon the instruction of the PIC concerned. In contrast, outsourcing or subcontracting agreements refer to disclosures or transfers of personal data by PICs to PIPs, in order for the latter to process the data according to the instructions of the PICs.
Data sharing for commercial purposes must be covered by a data sharing agreement, which shall establish adequate safeguards for data privacy and security in order to uphold the rights of data subjects. Outsourcing or subcontracting agreements must set out, among others, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the personal information processor, and the geographic location of the processing under the outsourcing agreement.
9. DATA SUBJECT RIGHTS
The Act recognises the following rights of the data subject:
- the right to be informed when personal data pertaining to him or her is being processed;
- the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing, or profiling;
- the right to reasonably access matters relating to the processing of his or her personal data such as, among others, the identity of the PICs or PIPs that will be given access to his or her personal data;
- the right to rectification or the right to dispute the inaccuracy or error in his or her personal data and have the PIC immediately correct it;
- the right to suspend, withdraw, or order the blocking, removal, or destruction of his or her personal data from the PIC's filing system;
- the right to be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorised use of personal data;
- the right to data portability, i.e., the right to obtain from the PIC a copy of his or her personal data in an electronic or structured format that is commonly used and allows for further use by the data subject; and
- the right to lodge a complaint before the NPC.
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
The IRR states that any natural or juridical person involved in the processing of personal data shall designate an individual or individuals who shall function as a data protection officer ('DPO') and whose role includes ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.
As an exception and subject to the approval of the NPC, a group of related companies may, instead of appointing individual DPOs, appoint or designate the DPO of one of its members to be primarily accountable for ensuring the compliance of the entire group with all data protection policies; however, the individual members of the group shall instead appoint a Compliance Officer for Privacy ('COP'), which refers to an individual or individuals who shall perform some of the functions of a DPO. Private entities with branches, sub-offices, and other components units may also appoint or designate a COP for each component unit.
The DPO should:
- have expertise in relevant privacy or data protection policies and practices;
- have sufficient understanding of the processing operations being carried out by the PIC or PIP, including its information systems, data security, and/or data protection needs; and
- be a full-time or organic employee of the PIC or PIP.
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
Personal Data Breach Notification
A PIC or PIP shall notify the NPC and the affected data subjects upon knowledge that a personal data breach requiring notification has occurred.
The following conditions determine when a personal data breach requires notification:
- the personal data involves sensitive personal information or any other information that may be used to enable identity fraud;
- there is reason to believe that the information may have been acquired by an unauthorised person; and
- the PIC or the NPC believes that the unauthorised acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
Furthermore, the notification shall be subject to the following procedures:
- the PIC is required to notify the NPC and the affected data subject(s), within 72 hours from the knowledge of, or upon his reasonable belief that, a personal data breach requiring notification has occurred;
- the notification shall describe, among others, the nature of the breach, the personal data likely to have been involved, and measures taken by the entity to address the breach; and
- the notification shall be submitted to the NPC through written or electronic form, and shall include, among others, the name and contact details of the DPO and a designated representative of the PIC.
Annual Security Incident Reportorial Requirement
To ensure compliance with data privacy laws and to strengthen the monitoring of threats and vulnerabilities that may affect personal data protection, the NPC requires PICs and PIPs to submit an annual report summarising all security incidents and personal data breaches. The annual report should contain all security incidents and personal data breaches of a PIC and PIP from 1 January to 31 December of the preceding year. In addition, it should include a summary of every breach incident and the aggregate number of non-breach incidents.
11.2. Sectoral obligations
Any natural or juridical person, or other body involved in the processing of personal data who fails to comply with the Act, the IRR, or other issuances of the NPC found to have committed a violation of the Act and its IRR will be subject to administrative, civil, and criminal liabilities.
The penalties provided in the Act and its IRR range from six months to seven years of imprisonment, together with fines ranging from PHP 100,000 (approx. €1,700) to PHP 5 million (approx. €87,100) based on whether personal information or sensitive personal information is involved. Moreover, additional penalties may apply depending on the identity of the offender and the number of affected data subjects.
If the offender is a corporation, partnership, or any other juridical person, the penalty shall be imposed upon the responsible officers who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is an alien, he or she shall be deported without further proceedings after serving the penalties prescribed.
13. ADDITIONAL RELEVANT TOPICS
13.1. Data Transfers and Outsourcing
Data transfers to third parties, including transfers to an affiliate or parent company, require the consent of the data subject and, as discussed in Section 8, the execution of a data sharing agreement or use of a contract or other reasonable means to provide a comparable level of protection while the personal data is being processed by the third party.
Outsourcing or subcontracting generally does not require the consent of the data subject but requires the execution of an outsourcing or subcontracting agreement. In an outsourcing or subcontracting agreement, the PIC shall use contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality, integrity, and availability of the personal data processed, prevent its use for unauthorised purposes, and generally, comply with the requirements of the Act, the IRR, other applicable laws for processing of personal data and other issuances of the NPC.
The transfer of personal data to foreign countries is permitted, subject to the relevant provisions of the Act.
It appears that the consent of the employee is generally not necessary prior to processing by an employer of his or her personal data when the processing is:
- necessary or desirable in the context of an employer-employee relationship;
- done for the purposes of pursuing legitimate interests;
- necessary for compliance with a legal obligation to which the employer is subject to (e.g. labour laws and tax regulations); or
- provided for by existing laws and regulations.
13.3. Data Retention
Retention of personal data shall be for as long as necessary:
- for the fulfilment of the declared, specified, and legitimate purpose, or when processing for the purpose has been terminated;
- for the establishment, exercise, or defence of legal claims; or
- for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by the appropriate government agency.
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
The Act covers both the public and private sectors as the law recognises that personal data and information communications systems in the government sector should be afforded the same security and protection as that given to the private sector.
For the private sector, there are currently no Philippine laws or regulations specifically governing or prohibiting data localisation, subject to the applicable provisions of the Philippines data privacy laws including, among others, the need for consent of the data subject (as may be necessary).