Company compliance with the Philippines’ Data Privacy Act

Applicable companies in the Philippines that missed the 8 September deadline to register their
personal information controller and processor systems with the authorities should do so asap.

In line with the Philippines’ Data Privacy Act 2012, personal information controllers (PICs) and personal
information processors (PIPs) are expected to appoint a Data Protection Officer (DPO), who must be a full-
time or organic employee of the PICs or PIPs. The one-year grace period for this action ended on Friday, 8
September 2017.

Need help to complete this process? Get in touch with the TMF Philippines team today.

Background
In 2012 the Philippines passed the Data Privacy Act, an act protecting individual personal data in
information and communications systems in both the government and the private sector (Republic Act. No.
10173). This comprehensive privacy law also established the National Privacy Commission (NPC), which is
tasked with implementing the provisions of the Act.
On 9 September 2016, the implementing rules and regulations (IRRs) came into force. The law is intended
to bring the Philippines to the next level and ensure compliance with international standards of data
protection.
Obligations
Under the implementing rules and regulations (IRR), the PICs and the PIPs are mandated to register their
personal data processing systems with the NPC under the following conditions:
 If sensitive personal information of at least 1,000 individuals is processed
 If the personal information controller or processor employs at least 250 persons
 If less than 250 persons are employed but the processing is not occasional
or
 If less than 250 persons are employed but the processing of the information might
pose a risk to the rights and freedoms of the data subject.
The IRR sets the required security measures for the protection of personal data:
 assign someone to function as data protection officer, compliance officer or any other
officer accountable for ensuring compliance with applicable laws and regulations on
data privacy and security
 implement appropriate data protection policies that provide for organisation, physical,
and technical security measures
 maintain records that sufficiently describe their data processing system and identify
the duties and responsibilities of those individuals who will have access to personal
data
 select, train and supervise employees, agents, or representatives who will have
access to personal data
 develop, implement and review policies and procedures for the collection and
processing of personal data, for data subjects to exercise their rights under the DPA,
access management, system monitoring, protocols for security incidents or technical
problems, and data retention
  ensure through appropriate contractual agreements that their personal information
processors shall also implement the security measures required by the law and the
IRR
 comply, where appropriate, with physical security guidelines set forth in the IRR, and
 adopt and establish technical security measures such as, but not limited to, security
policy for the processing of personal data; safeguards to protect their computer
network, periodic evaluation of security measures' effectiveness; and personal data
encryption.

To monitor the compliance of PICs and PIPs with the law, summaries of documented security incidents and
personal data breaches have to be reported by the PICs and PIPs to the NPC. In case of any data breach,
the NPC and the affected data subject should be notified by the concerned PIC or PIP within 72 hours from
the discovery of the personal data breach.

Application
The Act and these rules apply to the processing of personal data by any natural and juridical person in the
government or private sector. They apply to an act done or practice engaged in and outside of the
Philippines if:
a. the natural or juridical person involved in the processing of personal data is found or established in
the Philippines
b. the act, practice or processing relates to personal data about a Philippine citizen or Philippine
resident
c. the processing of personal data is being done in the Philippines, or
d. the act, practice or processing of personal data is done or engaged in by an entity with links to the
Philippines, with due consideration to international law and comity, such as, but not limited to, the
following:
1. use of equipment located in the country, or maintains an office, branch or agency in the
Philippines for processing of personal data
2. a contract is entered in the Philippines
3. a juridical entity unincorporated in the Philippines but has central management and control
in the country
4. an entity that has a branch, agency, office or subsidiary in the Philippines and the parent or
affiliate of the Philippine entity has access to personal data.
5.
Impact on businesses – local or foreign
The NPC has initially determined the business sectors or institutions processing personal data and
operating in the Philippines as PICs and PIPs. To ensure compliance, business entities should conduct
assessment and evaluation of their respective organisations.

Penalties
Rule XIII of the IRR specifies the penalties for violations pertaining to personal information and sensitive
personal information that include unauthorised processing, access due to negligence, improper disposal,
processing for unauthorised purposes, unauthorised access or intentional breach, concealment of security
breaches, malicious disclosure, and unauthorised disclosure.

There are corresponding fines and periods of imprisonment for each of these violations, ranging from
P100,000 to P5,000,000 and six months to seven years imprisonment.

Actions
The IRRs allowed for a one-year period (ending on 8 September 2017) within which PICs and PIPs had to
appoint a Data Protection Officer. This is done by submitting a notarised DPO reporting form with
supporting documents. In NPC Advisory No. 2017-01 (Designation of Data Protection Officers), a DPO
should have the following qualifications:
1. Expertise in relevant privacy or data protection policies and practices
2. Sufficient understanding of their organisation's processing operations, information
systems, data security, and/or data protection needs
3. A full-time or organic employee of the personal information controller or processor, as
applicable
4. A regular or permanent employee of the personal information controller or processor, as
applicable, who should hold at least a 2-year employment contract with his or her
organisation, and
5. Independent in the exercise of his or her functions such that the performance of his or her
duties will not give rise to a conflict of interest.

Organisations covered by the requirement to register their data processing systems with the NPC should
also prepare for the 8 March 2018 deadline for phase two of the registration process. In line with the
requirements of the IRR of the Data Privacy Act of 2012, and subject to additional requirements as may be
imposed by the NPC, covered entities should prepare the following information and documents:
1. The name and address of the personal information controller or personal information
processor, and of its representative, if any, including their contact details
2. The purpose or purposes of the processing, and whether processing is being done under
an outsourcing or subcontracting agreement
3. A description of the category or categories of data subjects, and of the data or categories
of data relating to them
4. The recipients or categories of recipients to whom the data might be disclosed
5. Proposed transfers of personal data outside the Philippines
6. A general description of privacy and security measures for data protection
7. Brief description of the data processing system
8. Copy of all policies relating to data governance, data privacy, and information security
9. Attestation to all certifications attained that are related to information and communications
processing, and
10. Name and contact details of the DPO.
Any automated processing operation, where processing is the sole basis of making decisions that would
significantly affect the data subject, must also be notified.