Data Privacy Act Advisory

FOLLOSCO MORALLOS & HERCE
ATTORNEYS AT LAW
25TH FLOOR, 88 CORPORATE CENTER
141 VALERO STREET CORNER SEDEÑO STREET
SALCEDO VILLAGE, MAKATI CITY 1227 PHILIPPINES
TELEPHONE NO. (63 2) 889 0808; 752 2215
FACSIMILE NO. (63 2) 7522217
EMAIL: info@fmh.ph
WEBSITE:  http://www.fmh.ph
DATA PRIVACY ADVISORY
(FMH Law Complimentary Service)
Consistent with the country’s policy to protect the fundamental human right to privacy of communication, Republic Act No. 10173, otherwise known as The Data Privacy Act of 2012 (“DPA”) was enacted on 15 August 2012 and became effective on 3 November 2012.  Owing to the issuance of the DPA Implementing Rules and Regulations (“Rules”) only last 24 August 2016, considering that the National Privacy Commission (“NPC”), an independent body tasked to monitor and ensure compliance of the country with international standards set for personal data protection was only formally organized in 2016, not much attention was accorded to the DPA and its implementation until recently.
  1. Persons Covered
The DPA applies in general to any person or organization, public or private, involved in the processing of personal information.  Processing is broadly defined to cover any operation or any set of operations performed (automated or manual) upon personal data including, but not limited to—

- Collection
- Storage

 - Recording

 - Updating and modification

 - Organization

 - Consolidation

 - Retrieval

 - Blocking

 - Consultation

 - Erasure or destruction

 - Use
Personal Information (“PI”), is defined as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.


Thus, the DPA regulates the collection and processing of PI, and imposes strict requirements and obligations on those who—
  • Control personal information (“PIC”) (e.g. Insurance Company X, Bank Y, Hospital Z) and
  • Process personal information (“PIP”) (e.g. service provider, IT vendor, external lab).
The DPA has extra-territorial application, i.e., its application extends beyond the Philippine territory as it applies to PIC and PIP which are not found or established in the Philippines, in the following instances:
  1. they process personal data about a Philippine citizen or resident;
  2. the processing of personal data is done in the Philippines; or
  3. the act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, as in the following instances:
  1. Use equipment that are located in the Philippines,
  2. Maintain an office, branch or agency in the Philippines,
  3. Contract is entered into in the Philippines,
  4. Juridical entity unincorporated in the Philippines but has central management and control in the country,
  5. Entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal data,
  6. Entity carries on business in the Philippines, or
  7. Entity collects or holds personal data in the Philippines.
  1. DPA Compliance Requirements
Briefly discussed below are the requirements prescribed by the DPA and the Rules on all persons covered by the DPA.
Primarily, all PICs and PIPs are required to implement reasonable and appropriate organizational, physical, and technical security measures for the protection of Personal Data and their compliance with such requirements is to be monitored by the NPC.  In determining the level of security appropriate for a particular PIC or PIP, the NPC will take into account the nature of the personal data that requires protection, the risks posed by the processing, the size of the organization and complexity of its operations, current data privacy best practices, and the cost of security implementation.
In particular, the law requires the following:
  1. Implementation of Organizational Security Measures
    1. Designating the Data Protection Officer (“DPO”) and compliance officer for privacy (“COP”) who are the persons accountable for ensuring compliance by an organization with applicable laws and regulations for the protection of data privacy and security;
    2. Establishing Data Protection Policies which include documentation, regular review, evaluation, and updating of the privacy and security policies and practices;
    3. Organizing records of processing activities that sufficiently describe the organization’s data processing system, and identify the duties and responsibilities of those individuals who will have access to Personal Data;
    4. Managing persons who have access to Personal Data;
    5. Establishing policies and procedures for the processing of Personal Data, including collection, management, monitoring, grievance handling and data retention; and
    6. Incorporating data protection and security measures in contracts with PIPs.
  1. Implementation of Physical Security Measures
    1. Implementing policies and procedures to monitor and limit access to and activities involving Personal Data in the room, workstation or facility;
    2. Designing office space and work stations to ensure privacy in the office;
    3. Specifying the duties, responsibilities and schedule of individuals involved in data processing; and
    4. Implementing policies and procedures for the transfer, removal, disposal, and re-use of electronic media.
  1. Implementation of Technical Security Measures
    1. Establishing a security policy with respect to the processing of Personal Data;
    2. Instituting safeguards to protect the computer network against accidental, unlawful or unauthorized usage;
    3. Regularly monitoring security breaches; and
    4. Creating a data breach response team.
  1. Establishment of Data Breach Notification Procedure in case of personal data breach requiring notification
  1. Review of Subcontracting Agreements to ensure the confidentiality, integrity and availability of the Personal Data processed, prevent its unauthorized use, and comply with the requirements of relevant laws and issuances
  1. Registration of DPO, data processing systems and/or automated processing operations in specified instances
  1.  Registration Requirements on Particular Covered Persons
One of the key requirements prescribed under the DPA and the Rules, and in connection with item 6 above, is the registration of the DPO, personal data processing systems and automated processing systems with the NPC.  Such registration is required only in specific circumstances as explained below.
Per NPC Circular No. 17-01 dated 31 July 2017 and released last 18 August 2017, the NPC had initially determined the sectors or institutions subject to the mandatory registration requirement under the law, as follows:
  1. Government branches, bodies or entities, including National Government Agencies, Bureaus or Offices, Constitutional Commissions, Local Government Units, Government-Owned and –Controlled Corporations;
  2. Banks and Non-Bank Financial Institutions, including Pawnshops, Non-Stock Savings and Loan Associations (NSSLAS);
  3. Telecommunications Networks, Internet Service Providers and Other Entities or Organizations providing similar services;
  4. Business Process Outsourcing Companies;
  5. Universities, Colleges and Other Institutions of Higher Learning, All Other Schools and Training Institutions;
  6. Hospitals including Primary Care Facilities, Multi-Specialty Clinics, Custodial Care Facilities, Diagnostic or Therapeutic Facilities, Specialized Out Patient Facilities, and Other Organizations processing genetic data;
  7. Providers of Insurance Undertakings, including Life and Nonlife Companies, Pre-Need Companies and Insurance Brokers;
  8. Business involved mainly in Direct Marketing, Networking and Companies providing Reward Cards and Loyalty Programs;
  9. Pharmaceutical Companies engaged in Research; and
  10. PIPs processing Personal Data for a PIC included in the preceding items, and Data Processing Systems involving Automated Decision-Making.
ALL OTHER PICs OR PIPs SHOULD REGISTER IF (a) IT EMPLOYS AT LEAST 250 PERSONS OR (b) IS PROCESSING AT LEAST 1,000 RECORDS INVOLVING SENSITIVE PERSONAL INFORMATION.
The registration scheme is currently implemented in two phases as follows:
  1. Phase One:  By 9 September 2017, an organization mandatorily required to register shall register its DPO with the NPC.
The DPO is required to be a full-time or organic employee of the PI controller with expertise in relevant privacy or data protection policies and practices and sufficient understanding of data processing operations. 


The functions of the DPO include:
  • monitoring compliance with the DPA, the Rules and other NPC issuances;
  • ensuring the conduct of privacy impact assessment;
  • advising the PI controller or PI processor regarding complaints and/or requests of data subjects;
  • ensuring proper data breach and security incident management;
  • informing and cultivating awareness on privacy and data protection within the organization;
  • advocating for the development, review and/or revision of policies, guidelines, projects and programs related to privacy and data protection; and
  • other duties and tasks in furtherance of data privacy and security.
The foregoing functions may nonetheless be outsourced or subcontracted to third parties but the DPO remains to be the contact person of the PI controller vis-à-vis the NPC.
  1. Phase Two:  By 8 March 2018, an organization mandatorily required to register shall register its Personal Data Processing Systems and/or Automated Processing System with the NPC.


The following information must be provided during registration:
  1. name and contact details of the PIC or PIP, head of agency or organization, and DPO;
  2. purpose or mandate of the government agency or private entity; 
  3. identification of all existing policies relating to data governance, data privacy, and information security, and other documents that provide a general description of privacy and security measures for data protection; 
  4. attestation regarding certifications attained by the PIC or PIP, including its relevant personnel, that are related to personal data processing; 
  5. brief description of data processing system or systems: 
    1. name of the system; 
    2. purpose or purposes of the processing; 
    3. whether processing is being done as a PIC, PIP, or both; 
    4. whether the system is outsourced or subcontracted, and if so, the name and contact details of the PIP; 
    5. description of the category or categories of data subjects, and their personal data or categories thereof; 
    6. recipients or categories of recipients to whom the personal data might be disclosed; and 
    7. whether personal data is transferred outside of the Philippines.
  6. notification regarding any automated decision-making operation.


  1. Consequences of Non-compliance
In the event an organization is found to be in violation of the DPA, the IRR as well as other issuances of the NPC, the NPC may issue compliance and enforcement orders, cease and desist orders, temporary or permanent ban on processing of personal data or prescribe the payment of fines.  In addition, in the event of a data breach or in the event a data subject complains to the NPC with regard to violation of his/her rights, the NPC may construe the fact of an organization’s late registration or no registration as it being negligent in its obligations relating to data privacy.
In addition, in case a suit is brought against an organization, and it fails to show compliance with the requirements outlined above, it may be penalized under the DPA under any of the following acts:
  • Unauthorized processing of PI and SPI
  • Accessing PI and SPI due to Negligence
  • Improper disposal of PI and SPI
  • Processing of PI and SPI for Unauthorized Purposes
  • Unauthorized access or intentional breach
  • Concealment of security breaches involving SPI
  • Malicious disclosure
  • Unauthorized disclosure
Imposable penalties consist of fine (ranging from Php100,000.00 to Php5 million) and imprisonment for a period ranging six (6) months to seven (7) years.
Should you have any question or need any assistance on your organization’s data privacy compliance, please do not hesitate to contact us.
Faithfully yours,


FOLLOSCO MORALLOS & HERCE