Академический Документы
Профессиональный Документы
Культура Документы
B. Scope
The Act applies to the processing of all types of personal information and to any person
or company involved in personal information processing. The Act admits certain
exceptions, including but not limited to, information necessary to carry out the functions
of public authority and banks in compliance with the Anti-Money Laundering Act.
1. The data subject must give consent prior to collection or as soon as practicable;
2. The processing involves personal information of a data subject who is a party to
a contractual agreement;
3. The processing is necessary to comply with a legal obligation;
4. The processing is necessary to protect important interests of the data subject,
including life and health;
5. The processing is necessary to respond to national emergency or to comply with
public order and safety;
6. The processing is necessary to fulfill the mandate of a public authority;
7. The processing is necessary to pursue legitimate interests of the personal
information controller or third party.
Page 1 of 6
The processing of sensitive personal information and privileged information is not
allowed except if:
Sensitive personal information and privileged information comprise race, ethnic origin,
marital status, age, color, religious and political affiliations, health, education, genetic or
sexual life, court proceedings, government issuances such as social security numbers,
health records, licenses or its denials, and tax returns.
1. Right to be informed
The data subject should be notified and furnished with the information, purpose,
period of storage, contact details of the personal data controller, and to whom it
will be disclosed, before the entry of personal data into the processing system.
2. Right to object
The data subject has the right to object to the processing of personal data. The
data subject shall also be given an opportunity to withhold consent in case of
changes or amendments.
3. Right to access
The data subject has the right to reasonable access to, upon demand, the
contents of personal data, sources, recipients, and the identity of the personal
information controller, among others.
4. Right to rectification
The data subject has the right to dispute the inaccuracy or error in the personal
data and have it corrected immediately.
5. Right to erasure or blocking
The data subject has the right to order the blocking, removal or destruction of
personal data.
6. Right to damages
Page 2 of 6
The data subject shall be indemnified for damages due to false or unauthorized
use of personal data.
1. Compliance officers
Accountable for ensuring compliance with laws and regulations for the protection
of data.
2. Data protection policies
Policies that provide for organization, physical, and technical security measures.
3. Records of processing activities
Records that sufficiently describe its data processing system, and identify the
duties of individuals who have access to personal data.
4. Management of human resources
Employees, agents, or representatives shall hold personal data under strict
confidentiality even after terminating employment or contractual relationship.
There should be training programs for them regarding privacy policies.
5. Processing of personal data
Implementation of procedures that limit the processing of data for the declared
purpose, system monitoring, and protocols to follow, among others.
6. Contracts with personal information processors
Processors should provide sufficient guarantees to implement security measures.
Page 3 of 6
3. The processing system and services should have integrity and be resilient.
4. There should be regular monitoring for security breaches.
5. The ability to restore personal data in a timely manner in the event of incidents.
6. There should be a process for regularly testing the security measures.
7. The personal data should be encrypted during storages and other measures that
limit access.
1. The personal data processing systems that involve accessing sensitive personal
information of at least 1000 persons must be registered with the Commission.
2. Submission of annual report of security incident and breaches.
3. The Commission should be notified of processing operations which would
significantly affect the data subject.
Page 4 of 6
4. If less than 250 persons are employed, the personal data processing system
should be registered with the Commission if there is a risk to the rights of the data
subject.
II. Recommendations
A. Outsourcing or Subcontracting
B. Employment Contracts
Employment contracts of employees involved in the processing of personal data,
including but not limited to HR employees, should include provisions obliging them to
operate and hold personal information under strict confidentiality during and even
after their employment or contractual relations as well as to comply with the
abovementioned security measures.
1. Immediately take steps to address the same, in no case more than 72 hours
after knowledge by the company, or by its personal information processor, of
such breach; and
2. Submit a written notification to the National Privacy Commission and affected
data subjects within 72 hours upon knowledge of such breach that shall at
least describe: (a) the nature of the breach; (b) the sensitive personal
Page 5 of 6
information possibly involved; and (c) the measures taken by the entity to
address the breach.
1. If the company has a personal data processing system operating in the country
that involves accessing or requiring sensitive personal information of at least
1,000 individuals, the company should register the same with the Commission.
2. The company should submit to the Commission a notification of Automated
Processing Operations where the processing becomes the sole basis of making
decisions that would significantly affect the data subject.
3. The company should submit to the Commission an annual report of the summary
of documented security incidents and personal data breaches.
Should you have any further questions on the implementation of the law and its effects, please do not
hesitate to contact us.
Page 6 of 6