DATA PRIVACY ACT AND IMPLEMENTING RULES AND REGULATIONS

I. Salient provisions of the Act and the IRR:

A. Brief Description of the Law

Under the Data Privacy Act, companies will need to obtain the consent of its employees
and customers in order to lawfully secure and process personal data in the course of their
employment relationship or business dealings. Such consent must be evidenced by
written, electronic or recorded means.

B. Scope
The Act applies to the processing of all types of personal information and to any person
or company involved in personal information processing. The Act admits certain
exceptions, including but not limited to, information necessary to carry out the functions
of public authority and banks in compliance with the Anti-Money Laundering Act.

C. The National Privacy Commission

To administer and implement the Act and to monitor and ensure compliance, an
independent National Privacy Commission is created with various powers of rulemaking,
adjudicating complaints and conducting investigations, and enforcement which includes
imposition of fines and penalties.

D. Criteria for Lawful Processing of Personal Information

For processing to be lawful, one of the following conditions must be complied with:

1. The data subject must give consent prior to collection or as soon as practicable;
2. The processing involves personal information of a data subject who is a party to
a contractual agreement;
3. The processing is necessary to comply with a legal obligation;
4. The processing is necessary to protect important interests of the data subject,
including life and health;
5. The processing is necessary to respond to national emergency or to comply with
public order and safety;
6. The processing is necessary to fulfill the mandate of a public authority;
7. The processing is necessary to pursue legitimate interests of the personal
information controller or third party.

E. Sensitive Personal Information and Privileged Information

Page 1 of 6
 The processing of sensitive personal information and privileged information is not
allowed except if:

1. The data subject/s gave consent;

2. The processing is provided for by laws and regulations;
3. The processing is necessary to protect the life and health of the data subject, and
the data subject is not able to express consent;
4. The processing Is necessary to achieve lawful objective of public organizations;
5. The processing is necessary for medical treatment;
6. The processing is necessary to protect lawful rights of persons.

Sensitive personal information and privileged information comprise race, ethnic origin,
marital status, age, color, religious and political affiliations, health, education, genetic or
sexual life, court proceedings, government issuances such as social security numbers,
health records, licenses or its denials, and tax returns.

F. Subcontract of Personal Information

The processing of personal information may be subcontracted provided that the said
controller is responsible for ensuring that proper safeguards are in place.

G. Rights of Data Subject

The data subject is entitled to:

1. Right to be informed
The data subject should be notified and furnished with the information, purpose,
period of storage, contact details of the personal data controller, and to whom it
will be disclosed, before the entry of personal data into the processing system.
2. Right to object
The data subject has the right to object to the processing of personal data. The
data subject shall also be given an opportunity to withhold consent in case of
changes or amendments.
3. Right to access
The data subject has the right to reasonable access to, upon demand, the
contents of personal data, sources, recipients, and the identity of the personal
information controller, among others.
4. Right to rectification
The data subject has the right to dispute the inaccuracy or error in the personal
data and have it corrected immediately.
5. Right to erasure or blocking
The data subject has the right to order the blocking, removal or destruction of
personal data.
6. Right to damages

Page 2 of 6
 The data subject shall be indemnified for damages due to false or unauthorized
use of personal data.

H. Organizational Security Measures

Personal informational controllers and personal information processors shall comply with
the following guidelines:

1. Compliance officers
Accountable for ensuring compliance with laws and regulations for the protection
of data.
2. Data protection policies
Policies that provide for organization, physical, and technical security measures.
3. Records of processing activities
Records that sufficiently describe its data processing system, and identify the
duties of individuals who have access to personal data.
4. Management of human resources
Employees, agents, or representatives shall hold personal data under strict
confidentiality even after terminating employment or contractual relationship.
There should be training programs for them regarding privacy policies.
5. Processing of personal data
Implementation of procedures that limit the processing of data for the declared
purpose, system monitoring, and protocols to follow, among others.
6. Contracts with personal information processors
Processors should provide sufficient guarantees to implement security measures.

I. Physical Security Measures

1. Limit access to work stations.

2. Design of office space and work stations to provide privacy to anyone processing
personal data.
3. The schedules of individuals in the processing of personal data should be clearly
defined.
4. There should be policies and procedures on the transfer and removal of electronic
media to protect personal data.
5. There should be policies and procedures that prevent mechanical destruction of
files and equipment.

J. Technical Security Measures

1. There should be a security policy in the processing of personal data

2. There should be safeguards to protect the computer network against
unauthorized usage.

Page 3 of 6
 3. The processing system and services should have integrity and be resilient.
4. There should be regular monitoring for security breaches.
5. The ability to restore personal data in a timely manner in the event of incidents.
6. There should be a process for regularly testing the security measures.
7. The personal data should be encrypted during storages and other measures that
limit access.

K. Acts Punished and Penalties

1. Unauthorized processing of personal information and sensitive and personal

information – Imprisonment from 1 year to 6 years and a fine of Php500,000.00
to Php4,000,000.00
2. Accessing information due to negligence – Imprisonment from 1 year to 6 years
and a fine of Php500,000.00 to Php4,000,000.00
3. Improper disposal of information – Imprisonment from 6 months to 3 years and
a fine of Php100,000.00 to Php1,000,000.00
4. Processing of information for unauthorized purposes – Imprisonment from 1 year
and 6 months to 7 years and a fine of Php500,000.00 to Php2,000,000.00
5. Unauthorized access or intentional breach – Imprisonment from 1 year to 3 years
and a fine of Php500,000.00 to Php2,000,000.00
6. Concealment of security breach – Imprisonment from 1 year and 6 months to 5
years and a fine of Php500,000.00 to Php1,000,000.00
7. Malicious disclosure – Imprisonment from 1 year and 6 months to 5 years and a
fine of Php500,000.00 to Php1,000,000.00
8. Unauthorized disclosure – Imprisonment from 1 year to 5 years and a fine of
Php500,000.00 to Php2,000,000.00
9. Combination or series of acts – Imprisonment from 3 years to 6 years and a fine
of Php1,000,000.00 to Php5,000,000.00

L. Data Breach Notification

The Commission and data subject must be notified by the personal information controller
within 72 hours upon knowledge of a personal data breach.

M. Enforcement of the Act

1. The personal data processing systems that involve accessing sensitive personal
information of at least 1000 persons must be registered with the Commission.
2. Submission of annual report of security incident and breaches.
3. The Commission should be notified of processing operations which would
significantly affect the data subject.

Page 4 of 6
 4. If less than 250 persons are employed, the personal data processing system
should be registered with the Commission if there is a risk to the rights of the data
subject.

N. Period for Compliance

Personal information controllers and processors should register with the Commission
their data processing systems before August 2017.

II. Recommendations

A. Outsourcing or Subcontracting

1. Implement proper safeguards to ensure the confidentiality of the personal data

(i.e., personal information, sensitive personal information and privileged
information) processed and to prevent its use for unauthorized purposes.
2. Implement the organizational, physical and technical security measures;
3. Oblige its employees, agents, or representatives, through appropriate contractual
agreements, to operate and hold personal information under strict
confidentiality during their employment or contractual relationship or even after
their resignation or the termination of their employment or contractual
relationship; and,
4. Indemnify the company for any of the fines imposed on the company arising from
any act or omission of the personal information processor.

B. Employment Contracts
Employment contracts of employees involved in the processing of personal data,
including but not limited to HR employees, should include provisions obliging them to
operate and hold personal information under strict confidentiality during and even
after their employment or contractual relations as well as to comply with the
abovementioned security measures.

C. Personal Data Breach

In case of personal data breach, or if any other information that may be used to enable
identity fraud is reasonably believed to have been acquired by an unauthorized
person:

1. Immediately take steps to address the same, in no case more than 72 hours
after knowledge by the company, or by its personal information processor, of
such breach; and
2. Submit a written notification to the National Privacy Commission and affected
data subjects within 72 hours upon knowledge of such breach that shall at
least describe: (a) the nature of the breach; (b) the sensitive personal

Page 5 of 6
 information possibly involved; and (c) the measures taken by the entity to
address the breach.

D. Registration and Notification

1. If the company has a personal data processing system operating in the country
that involves accessing or requiring sensitive personal information of at least
1,000 individuals, the company should register the same with the Commission.
2. The company should submit to the Commission a notification of Automated
Processing Operations where the processing becomes the sole basis of making
decisions that would significantly affect the data subject.
3. The company should submit to the Commission an annual report of the summary
of documented security incidents and personal data breaches.

Should you have any further questions on the implementation of the law and its effects, please do not
hesitate to contact us.

For your information and appropriate action, please. Thank you.

Page 6 of 6