Data Protected - Philippines
Contributed by Ocampo & Suralvo Law Offices
Last updated December 2017
General | Data Protection Laws
National Supervisory Authority
Scope of Application
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
Marketing by E-mail
Marketing by Telephone
General | Data Protection Laws
General data protection laws
Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “Data Privacy Act”). The Implementing Rules and Regulations of the Data Privacy Act (“IRR”) were promulgated on 24 August 2016.
Entry into force
The Data Privacy Act was signed into law on 15 August 2012 and came into effect on 8 September 2012. The IRR came into effect on 9 September 2016.
National Supervisory Authority
Details of the competent national supervisory authority
The National Privacy Commission (the “Commission”). The Commission is attached to the Department of Information and Communications Technology.
3rd Floor, Core G
GSIS Headquarters Bldg.
Metro Manila 1308
Notification or registration scheme and timing
The IRR requires personal information controllers and personal information processors to register their data processing systems with the Commission if: (i) they employ 250 or more people; (ii) the processing includes sensitive personal information of at least 1,000 individuals; (iii) the processing is likely to pose a risk to the rights and freedoms of data subjects; or (iv) the processing is not occasional.
Processing operations that pose a risk to data subjects include those that involve: (i) information that would likely affect national security, public safety, public order, or public health; (ii) information required by applicable laws or rules to be confidential; (iii) vulnerable data subjects (i.e. where an imbalance exists in the relationship between a data subject and a personal information controllers or a personal information processors).
The Commission has determined that the following sectors are involved in (a) processing likely to pose a risk to the rights and freedoms of data subjects (b) and/or processing which is not occasional, thus subject to mandatory registration (i) Government; (ii) banks and non-bank financial institutions; (iii) telecommunication networks and internet service providers; (iv) business process outsourcing companies; (v) educational institutions; (vi) hospitals and healthcare facilities; (vii) insurance companies; (viii) business engaged in direct marketing, reward cards and loyalty programs; (ix) pharmaceutical companies engaged in research; and (x) personal information processors processing personal data for a personal information controller included in the preceding items, and data processing systems involving automated decision-making.
The initial registration process is broken down into two phases: the appointment of a data protection officer and the registration of the data processing systems. The deadline for Phase I registration was 11 September 2017 and the deadline for Phase II registration is 8 March 2018. Upon registration, personal information controllers and personal information processors are issued with a certificate valid until 8 March the following year and which must be renewed annually.
Under the Commission’s guidelines, the timing for registration of data processing systems is two months from the commencement of the processing.
The IRR sets out the contents of registration or notification, which includes information such as the purposes of the processing, the categories of data subject, the security measures in place for data protection and any proposed transfers of personal data outside the Philippines.
Exemptions to notification
Under the IRR, personal information controllers or personal information processors that employ fewer than 250 people will not be required to register unless: (i) the processing includes sensitive personal information of at least 1,000 individuals; (ii) the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects; and (iii) the processing is not occasional.
Any personal information controllers and personal information processors not subject to mandatory registration may voluntarily register with the Commission.
Scope of Application
What is the territorial scope of application?
The Data Privacy Act and the IRR apply to controllers and processors established in the Philippines and the processing of personal data by any natural and juridical person in the government or private sector.
The Data Privacy Act also applies to entities established outside of the Philippines if certain links exist to the Philippines. For example, where: (i) the processing relates to personal information about a Philippine citizen or a resident; (ii) the entity has a link with the Philippines (such as a contract entered into in the Philippines or a branch or agency in the Philippines) and the entity is processing personal information about Philippine citizens or residents; or (iii) the entity has other links such as a business in the Philippines or where it collects and holds personal information in the Philippines.
Is there a concept of a controller and a processor?
The Data Privacy Act places accountability on the “personal information controller” for personal information under its control or custody, including information that has been transferred to a third party for processing.
The Data Privacy Act also applies to “personal information processors” to whom a personal information controller may outsource the processing of personal data.
Are both manual and electronic records subject to data protection legislation?
The Data Privacy Act applies to both manual and electronic records. The law and the IRR states that it covers information whether recorded in material form or not.
Are there any national derogations?
The Data Privacy Act contains a number of exceptions. It does not apply to personal information originally collected from residents of foreign jurisdictions which is being processed in the Philippines. Other miscellaneous exemptions include the processing of personal information: (i) about government employees acting in an official capacity; (ii) about those contracting with government or obtaining government licences or benefits; (iii) for journalistic, artistic, literary or research purposes; (iv) to carry out the functions of a public authority; and (v) to comply with money laundering and other financial rules.
What is personal data?
Both the Data Privacy Act and the IRR define “personal information” as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Is information about legal entities personal data?
What are the rules for processing personal data?
In general, the Data Privacy Act and the IRR allow the processing of personal data subject to: (i) compliance with the requirements of the Data Privacy Act and other laws allowing disclosure of information to the public; and (ii) adherence to the principles of transparency, legitimate purpose and proportionality. The IRR describes these three principles more specifically.
The general principles of the Data Privacy Act and the IRR require personal data to be: (i) collected for declared, specific and legitimate purposes and only processed in a way compatible with such purposes; (ii) processed fairly and lawfully; (iii) accurate, relevant and, where necessary, kept up to date; (iv) adequate and not excessive; (v) retained only for as long as necessary, for the fulfilment of the declared, specified and legitimate purpose or as needed for legal claims or legitimate business purposes, or as provided by law; (vi) kept in a form which permits identification of data subjects for no longer than is necessary; and (vii) disposed of securely to prevent further processing or prejudice to the interests of the data subjects.
The processing of personal information shall only be permitted if at least one of the following conditions exists: (i) the data subject has given consent; (ii) the processing of personal information is necessary for a contract with the data subject or to take steps at the request of the data subject prior to entering into a contract; (iii) the processing is necessary for compliance with a legal obligation; (iv) the processing is necessary to protect vitally important interests of the data subject, including their life and health; (v) the processing is necessary in relation to a national emergency, public order and safety, or to fulfil functions of a public authority; or (vi) the processing is necessary for the personal information controller or recipient’s legitimate interests, except where overridden by the fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
The IRR contains controls on data sharing (which does not include data sharing as part of an outsourcing). Data sharing shall be allowed: (i) when it is expressly authorized by law provided there are adequate safeguards for data privacy and security, and processing adheres to principles of transparency, legitimate purpose and proportionality; (ii) in the private sector, if the data subject consents to it and specific conditions are complied with, including executing data sharing agreements in cases of data sharing for commercial purposes, such as direct marketing. These restrictions on data sharing expressly apply to intra-group data sharing.
Are there any formalities to obtain consent to process personal data?
Consent must be a freely-given, specific, informed indication of the data subject’s will. It must be evidenced by written, electronic or recorded means.
Are there any special rules when processing personal data about children?
Minors (i.e. those below 18 years old) are considered vulnerable data subjects. The processing of their information is considered likely to pose a risk to their rights and freedoms. Consequently, personal information controllers and personal information processors that process minors’ personal data are subject to mandatory registration.
Sensitive Personal Data
What is sensitive personal data?
The Data Privacy Act and the IRR define sensitive personal information as personal information: (i) about an individual’s race, ethnic origin, marital status, age, colour, religious, philosophical or political affiliations, health, education, genes or sexual life, or offences or alleged offences relating to that individual; and (ii) issued by government agencies peculiar to an individual which includes social security numbers, health records, licences and tax returns.
Specific protection is also given to information that is subject to legal privilege.
Further classes of sensitive personal information can be identified by an executive order or an act of Congress.
Are there additional rules for processing sensitive personal data?
In general, the processing of sensitive personal information and privileged information is prohibited except where: (i) the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing; (ii) the processing is provided for by existing laws and regulations; (iii) the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not able to give consent; (iv) the processing is carried out for limited non-commercial purposes by public organisations and their associations; (v) the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or (vi) the processing is necessary for court proceedings or legal claims, or is provided to the government or a public authority.
Are there additional rules for processing information about criminal offences?
The rules for processing information about criminal offences are the same as for sensitive personal data.
In addition, the processing of personal information involving criminal offences is considered likely to pose a risk to a data subject’s rights and freedoms. Hence, personal information controllers and personal information processors that process such personal data are subject to mandatory registration.
Are there any formalities to obtain consent to process sensitive personal data?
The same formalities as those required for the processing of personal information apply. However, consent must be specific to the purpose and given by the data subject prior to the processing of the sensitive personal information. In the case of privileged information, the consent must come from all the parties to the exchange of privileged information.
Data Protection Officers
When must a data protection officer be appointed?
The personal information controller must designate an individual or individuals who are accountable for the organisation’s compliance with the Data Privacy Act. The identity of the individual(s) so designated must be made known to any data subject upon request.
The data protection officer must: (i) possess specialised knowledge and demonstrates reliability necessary for the performance of his or her duties and responsibilities; (ii) have expertise in relevant privacy or data protection policies and practices; (iii) have sufficient understanding of the processing operations being carried out by the personal information controller/personal information processor, including its internal structure, policies and processes, information systems, data security and/or data protection needs; and (iv) be a full-time or organic employee of the personal information controller/personal information processor and ideally be a regular or permanent employee.
If the data protection officer’s employment is based on a contract, the term or duration of the contract should be at least two years to ensure stability. Consultants and project, seasonal, probationary, or casual employees should not be designated as a data protection officer.
The data protection officer may hold other positions in the organisation only if it does not give rise to any “conflict of interest” which arises where tasks, duties and responsibilities may be opposed to or could affect the performance of the data protection officer. This includes, inter alia, holding a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.
The deadline for the appointment of a data protection officer was 11 September 2017.
What are the duties of a data protection officer?
The data protection officer is responsible for, among others, the following activities: (i) monitoring compliance with relevant applicable legislation and policies; (ii) conducting privacy impact assessments; (iii) advising the personal information controller/personal information processor regarding complaints and/or the exercise by data subjects of their rights; (iv) ensuring proper data breach and security incident management; (v) informing and cultivating awareness on privacy and data protection within the organisation; advocating for the development, review and/or revision of policies, guidelines, projects and/or programs relating to privacy and data protection; (vi) serving as the contact person vis-à-vis data subjects, the Commission and other authorities in all matters concerning data privacy or security issues or concern and the company; (vii) cooperating, coordinating and seeking advice of the Commission regarding matters concerning data privacy and security; and (viii) performing other duties and tasks that may be assigned by the personal information controller/personal information processor that will further the interest of data privacy and security and uphold the rights of the data subjects.
The data protection officer must have due regard for the risk associated with the processing operations of the personal information controller/personal information processor, taking into account the nature, scope, content, and purposes of processing. This means that he or she must prioritise his or her data protection officer activities and focus on efforts on addressing any issues that present higher data protection risks.
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
Personal information controllers and personal information processors must implement reasonable and appropriate organisational, physical, and technical security measures for the protection of personal data.
Organisational measures include the: (i) appointment of a data protection officer who shall also be accountable for ensuring compliance with the laws; (ii) implementation of data protection policies; (iii) keeping of data processing records; (iv) management of employees who have access to personal data (e.g. conduct of capacity building, orientation or training programs for such employees regarding privacy or security policies).
Physical and technical security measures include: (i) monitoring and limiting of access to personal data; and (ii) implementation of policies for the protection of data such as procedure for the removal, disposal, transfer of personal data.
Are privacy impact assessments mandatory?
Under Commission guidelines, in general, a privacy impact assessment must be undertaken for each processing system of a personal information controller or personal information processor. A privacy impact assessment will be required for both new and existing systems, programs, projects, procedures, measures, or technology products that involve or impact processing personal data. For new processing systems, the assessment should be undertaken prior to their adoption, use, or implementation.
A personal information controller or personal information processor may forego the conduct of a privacy impact assessment only if it determines that the processing involves minimal risks to the rights and freedoms of individuals, taking into account recommendations from the data protection officer. In making this determination, the size and sensitivity of the personal data being processed, the duration and extent of processing, the likely impact of the processing to the life of data subject and possible harm in case of a personal data breach should be considered.
Rights of Data Subjects
Data subjects should be provided with the following information prior to their personal information being added to a processing system or at the next practical opportunity: (i) a description of the personal information to be entered into the system; (ii) the purposes of processing; (iii) the scope and method of the personal information processing; (iv) the recipients; (v) automatic means to access the personal information; (vi) the identity and contact details of the personal information controller or its representative; (vii) the period for which the information will be stored; (viii) the existence of their rights; and (ix) the basis of processing, when the processing is not based on the consent of the data subject.
This information does not have to be provided where personal information is disclosed pursuant to a subpoena, where the collection and processing are for obvious purposes, or where the information is being collected and processed as a result of a legal obligation.
Finally, the data sharing principles require that the data subject is provided with certain information prior to collection or before data is shared, including the identity of the personal information controllers or processors that will be given access to the personal data, the purpose of data sharing and other related information.
Rights to access information
The data subject is entitled to reasonable access to: (i) the contents of the personal information that was processed; (ii) the sources of the personal information; (iii) the names and addresses of recipients; (iv) the manner by which the personal information was processed; (v) the reasons for the disclosure of the personal information to recipients; (vi) information on automated decision processes; (vii) the date when his or her personal information concerning the data subject was last accessed and modified; and (viii) the designation, name or identity and address of the personal information controller.
Rights to data portability
There are also rights to data portability. Where personal information is processed by electronic means and in a structured and commonly used format, the data subject has a right to obtain the personal information in that format.
Right to be forgotten
Under the Data Privacy Act and the IRR, data subjects have the right to erasure and blocking. A data subject has the right to suspend, withdraw, order the blocking, removal or destruction of his or her personal information from a personal information controller’s filing system.
This right may be exercised upon discovery and substantial proof of any of the following: (i) the personal data is incomplete, outdated, false, or unlawfully obtained; (ii) the personal data is being used for unauthorised purpose; (ii) the personal data is no longer necessary for the purposes for which they were collected; (iv) the data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing; (v) the personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorised; (vi) the processing is unlawful; or (vii) the personal information controller or personal information processor violated the rights of the data subject.
Objection to direct marketing and profiling
The Data Privacy Act defines direct marketing as communication by whatever means of any advertising or marketing material which is directed to particular individuals. The IRR explicitly states that the data subject has the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared data.
The data subject is also entitled to object to unauthorised use of their personal information and to have inaccurate or incorrect personal information corrected in some cases.
The rights of the data subject are transmissible to their heirs and assigns at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising his rights.
Security requirements in order to protect personal data
The personal information controller must implement reasonable and appropriate organisational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. This should protect against natural dangers and human dangers.
The determination of the appropriate level of security must take into account: (i) the nature of the personal information to be protected; (ii) the risks represented by the processing; (iii) the size of the organisation and complexity of its operations; (iv) current data privacy best practices; and (v) the cost of security implementation.
The IRR set out specific security requirements in three areas: (i) organisational measures, including the appointment of compliance officers, adoption of suitable policies and use of suitable contracts with personal information processors; (ii) physical measures, including physical access controls, building design and destruction policies; and (iii) technical security measures, including encryption and intrusion detection.
Specific rules governing processing by third party agents (processors)
The personal information controller must ensure that third parties processing personal information on its behalf shall also implement these security measures.
The IRR require a contract or other legal act to be in place that requires the personal information processor to: (i) only process personal data on the instructions of the personal information controller; (ii) ensure those accessing personal data keep it confidential; (iii) implement appropriate security measures; (iv) not engage another processor without the personal information controller’s prior instruction; (v) assist the personal information controller when data subjects exercise their rights; (vi) assist the personal information controller to comply with the Data Privacy Act and the IRR; (vii) at the choice of the personal information controller, return or destroy personal data at the end of the contract; (viii) demonstrate compliance to the personal information controller and submit to audits; and (ix) inform the personal information controller if their instructions conflict with the Data Privacy Act and the IRR.
The employees, agents or representatives of a personal information controller who are involved in the processing of personal information must keep it confidential unless it is intended for public disclosure.
Notice of breach laws
Under the Data Privacy Act and its IRR, the Commission and affected data subjects must be notified of a personal data breach where: (i) it is reasonably believed that an unauthorized person has acquired sensitive personal information or any other information that enables identity fraud; and (ii) the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
The notification must be made within seventy-two (72) hours. Notification may be delayed where necessary to determine the scope of the breach, prevent further data breaches and secure the underlying system. The Commission may also authorise the postponement of notification where it may hinder criminal investigations related to a serious breach. The Commission may exempt the personal information controller from notifying data subjects where: (i) it would not be in the public interest or in the interests of data subjects; or (ii) the controller has complied with the security requirements and acquired the personal information in good faith.
The notification shall describe the nature of the breach, the personal data possibly involved, and the measures taken by the entity to address the breach.
Depending on the nature of the incident, or if there is delay or failure to notify, the Commission may investigate the circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures.
Under the IRR, a report summarising documented security incidents and personal data breaches shall be provided to the Commission annually.
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
Transfers to third countries are permissible under the Data Privacy Act.
However, each personal information controller is responsible for personal information under its control or custody, including information that has been transferred to a third party for processing overseas. The personal information controller must use contractual or other reasonable means to provide a comparable level of protection for personal information processed by a third party.
Notification and approval of national regulator (including notification of use of Model Contracts)
A personal information controller or personal information processor required to register its data processing systems must provide certain details about its data processing system(s) including whether the personal data it processes would be transferred outside of the Philippines.
Use of binding corporate rules
The Data Privacy Act does not contain the concept of binding corporate rules.
Breach of the law is punishable by monetary penalties ranging from 100,000 to five million pesos (approximately €1,700 to €84,000). If the offender is a legal person, the penalty shall also be imposed upon responsible officers if the breach is as a result of their participation or gross negligence.
Offenders shall also be liable to imprisonment ranging from six months to seven years. If the offender is a legal person, the penalty shall also be imposed upon its responsible officers if the breach is as a result of their participation or gross negligence.
Any breach of personal data involving, harming or affecting at least 100 people will be subject to the maximum penalty.
Data subjects are entitled to an indemnity for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorised use of personal information. Pursuant to the exercise of its quasi-judicial functions, the Commission shall award an indemnity to an aggrieved party on the basis of the provisions of the Philippine Civil Code.
If the offender is an alien, he or she shall be deported without further proceedings after serving the penalties prescribed.
The Commission has the authority to perform all acts necessary to enforce its orders, resolutions or decisions, including the imposition of administrative sanctions, fines or penalties.
The Commission may: (i) issue compliance or enforcement orders; (ii) award indemnity on matters affecting any personal data or rights of data subjects; (iii) issue cease and desist orders or impose a temporary or permanent ban on the processing of personal data upon finding that the processing will be detrimental to national security or public interest, or if it is necessary to preserve and protect the rights of data subjects; (iv) recommend to the Department of Justice the prosecution of crimes and imposition of penalties; (v) compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy; and (vi) impose administrative fines for violations of the Data Privacy Act, the IRR and its other issuances.
In updates on its website, the Commission has indicated that in recent incidents, it issued compliance orders directing entities to implement corrective measures to comply with the law. Additionally, in a specific instance of data breach by a government agency, it recommended the case to the Department of Justice “for further investigation for possible prosecution.”
The Commission also conducts privacy compliance checks to evaluate the existing governance, organisational, physical and technical measures of personal information controllers and personal information processors, with the aim of preventing or mitigating similar incidents in the future.
ePrivacy | Marketing and cookies
Online privacy is dealt with mainly by Republic Act No. 10175, known as the Cybercrime Prevention Act of 2012 (“Cybercrime Prevention Act”). The Cybercrime Prevention Act protects computer data and systems, including prohibiting violations of an individual’s rights to online privacy.
Certain administrative rules also cover electronic privacy issues, particularly direct marketing and cookies. This includes: (i) the Insurance Commission Circular Letter No. 2014-47 of the 2014 Guidelines on Electronic Commerce of Insurance Products (“Insurance E-Commerce Guidelines”); (ii) NTC Memorandum Circular No. 03-03-2005A, as amended by Memorandum Circular No. 04-07-2009 (“Broadcast Messaging Service Rules”); and (iii) the “Consumer Act” and the Department of Trade and Industry Administrative Order No. 2-93 of Rules and Regulations Implementing Republic Act No. 7394 on the Consumer Act (“Consumer Act Rules”).
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
Under the Insurance E-Commerce Guidelines, insurance providers shall not transmit marketing e-mails to consumers without their consent, except when insurance providers have an existing relationship with them. An existing relationship is not established by consumers simply visiting the insurance providers' website. Any marketing e-mail messages that insurance providers send shall prominently display a return e-mail address and shall provide in plain language a simple procedure by which consumers can notify insurance providers that they do not wish to receive such messages.
The Broadcast Messaging Service Rules cover commercial and promotional advertisements, surveys and other messages sent via broadcast/push messaging service. Under the Broadcast Messaging Service Rules, content and/or information service providers are not allowed to send and/or initiate push messages unless the subscriber asks for them by communicating with the provider through written correspondence, text messaging, internet, or other similar means of communication. Moreover, commercial and promotional advertisements, surveys and other broadcast messages shall be allowed only upon prior written consent by the subscribers.
Conditions for direct marketing by e-mail to corporate subscribers
The Insurance E-Commerce Guidelines protect consumers which they define as individuals or legal persons engaged in commercial activity. The Broadcast Messaging Service Rules apply to both individual and corporate subscribers.
Exemptions and other issues
The Consumer Act Rules contain specific rules on the contents of any direct marketing, including requiring the disclosure of details of the seller, relevant terms and conditions and payment information. These rules only apply when dealing with consumers who are natural persons.
The Cybercrime Prevention Act makes unsolicited commercial electronic marketing communications a cybercrime, unless: (i) there is a prior affirmative consent from the recipient; (ii) the primary intent of the communication is to provide a service and/or administrative announcements to existing customers; or (iii) the communication does not disguise the sender, does not include misleading information and allows the recipient to opt out. However, in 2014, the Philippine Supreme Court, while upholding other provisions of the Cybercrime Prevention Act, struck down as unconstitutional the provision on unsolicited commercial communications for violating a person’s right to freedom of expression.
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The Consumer Act also deals with home solicitation sales which include solicitation by telephone.
Business entities conducting home solicitation sales of any consumer product or service must obtain a permit from the Department of Trade and Industry. In addition: (i) home solicitation sales may be conducted only between 9am and 7pm unless otherwise agreed; (ii) home solicitation sales shall only be conducted by a person who has the proper identification and authority from his principal; (iii) sales generated from home solicitation sales shall be properly receipted; and (iv) there must be no misrepresentation, for example that the consumer has been specially selected or that the purpose of the call is for a survey or research.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
These conditions do not apply to corporate subscribers.
Exemptions and other issues
The Consumer Act Rules contain specific rules on the contents of any direct marketing (see above).