On 8th September 2012, the Philippines Data Privacy Act (PDPA) also referred to as 'Republic Act No. 10173' was enacted to serve as a strong protector of data. This was the first all-encompassing law that addressed data privacy in the Philippines and held organizations accountable, mandating them to implement robust security measures.
This law established a National Privacy Commission (NPC) responsible for enforcing and overseeing the Data Privacy Act and is vested with rulemaking authority. Under Rule 3, 'it is responsible for developing, promulgating, reviewing or amending rules and regulations for the effective implementation of the Act.' The implementation of this law was crucial in safeguarding the fundamental rights of Filipinos, providing them with a much-needed legal framework to protect their personal information (PI).
Read this article to learn about:
- Historical Context: A Brief Timeline of the PDPA
- Scope and Objectives of the Philippines Data Privacy Act
- The Rights of Data Subjects (Individuals whose PI is processed)
- The Obligations of Data Controllers & Processors (Businesses who control the collection of data, holding, processing, or use of PI on an individual's behalf)
- PDPA Compliance and Penalties
Historical Context: A Brief Timeline of the PDPA
Since 1987, a series of key events have led to the enactment of PDPA Philippines. Here is a brief timeline of key events:
- 1987: The Philippine Constitution recognizes the right to privacy as a fundamental human right. However, specific legislation addressing data privacy was still needed.
- 2009: Senate Bill No. 2965 was passed by the Philippines Senate and House of Representatives to protect personal data in Information and communication systems, laying the foundation for the PDPA.
- 2012: On August 15, Republic Act No. 10173, known as the PDPA, was signed into Law. It provided a comprehensive legal framework for the protection of personal data including the rights of data subjects, obligations of data controllers and processors, data breach notification requirements, cross-border data transfers, and penalties for non-compliance.
- 2016: The National Privacy Commission (NPC) was established as an independent body responsible for administering and enforcing the provisions of the PDPA. It is the primary authority ensuring compliance, handling complaints, and imposing penalties for violations.
- 2018: The NPC introduced implementing rules and regulations that offered detailed guidelines for organizations to follow in complying with the PDPA offering clarity on various provisions and helping organizations understand their obligations and responsibilities.
Read Complete Infographic
Scope and Objectives of the Philippines Data Privacy Act:
The scope of the PDPA covers the processing of personal information by both government and private entities, whether within or outside the Philippines, if they have a presence, engage in data processing activities, or have links to the Philippines. It lays down the requisites for data controllers and data processors regarding the collection, use, disclosure, and storage of personal data and enforces strict guidelines on consent, data precision, data storage, and security measures for handling data responsibly and ethically.
The main objectives of the PDPA Philippines can be summarized as follows:
- Safeguarding privacy rights and granting individuals control and consent over their sensitive personal information:
- The PDPA establishes a framework for the lawful and fair processing of personal information to ensure that data subjects are informed about the purposes, methods, and extent of data processing.
- Encouraging the implementation of appropriate security measures:
- The PDPA mandates organizations to establish safeguards appropriate to the nature of the data being processed, minimizing the risk of data breaches, unauthorized access, alteration, or disclosure.
- Imposing obligations on data controllers and processors for transparency, accountability, and responsibility:
- Organizations are required to adopt privacy policies, implement data protection measures & designate a data protection officer to oversee compliance with the law.
- Facilitating cross-border data transfers while ensuring the protection of PI:
- The PDPA provides mechanisms and standards for the lawful transfer of PI outside the Philippines harmonizing with international data protection standards to safeguard personal data during cross-border transfers.
Why does it matter to Businesses?
For global businesses, it is important to understand PDPA Philippines Act to be able to transact effectively without getting into the risk of a data breach. We sum up the reasons below:
- PDPA compliance is the ticket to play in the global arena of data protection.
- PDPA compliance builds customer trust, earning organizations in or outside the Philippines both loyalty and a bulletproof reputation.
- PDPA compliance can help avoid financial risks and legal nightmares.
The Rights of Data Subjects:
The PDPA places a strong emphasis on protecting the rights of individuals whose personal data is being processed.
Some of the rights conferred upon data subjects under the PDPA guidelines are:
- Right to Be Informed:
Data subjects have the right to be informed about the collection, processing, purpose, and scope of their personal data. For Example, A healthcare provider must clearly communicate to patients the types of personal data collected, how it will be used for medical treatment, and any third parties involved in the process.
- Right to Consent:
Data subjects have the right to provide or withhold consent for the processing of their personal data.
- Right to Damages:
Data subjects have the right to receive compensation for any damages incurred due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of sensitive personal information.
- Right to File a Complaint:
If a data subject suspects the violation of their data privacy rights or feels their personal data is misused, maliciously disclosed, or improperly disposed they can file a complaint with NPC.
- Right to Access:
Data subjects have the right to obtain confirmation and access their personal data held by organizations. For Example, An individual can request a copy of their credit report from a credit bureau to review the information being stored about their financial history.
- Right to Rectify:
Data subjects have the right to request the correction or amendment of inaccurate or incomplete personal data.
- Right to Erasure or Blocking:
Data subjects have the right to request the deletion, destruction, or blocking of personal data that is unlawfully processed, outdated, or no longer necessary. For Example, An individual can ask a social media platform to delete their account and associated personal data when they no longer wish to use the platform.
- Right to Data Portability:
Data subjects, under certain conditions, have the right to obtain a copy of their personal data in a structured, commonly used, and machine-readable format. For Example, A user can request a download of their photo albums and other personal data from a cloud storage service to transfer it to another platform.
- Right to Object:
Data subjects have the right to object to the processing of their personal data based on legitimate grounds.
The Obligations of Data Controllers and Processors:
The PDPA guidelines impose various obligations on data controllers and processors to ensure responsible and lawful processing of personal data.
Data controllers (DC) determine the purposes and means of processing, while data processors (DP) act on behalf of the controller. Both entities are required to adhere to the following obligations:
- Transparency and Accountability: Both DC and DP must be open and honest about how they handle data. They should have clear privacy policies, appoint a data protection officer (DPO), and take responsibility for their actions.
- Lawful and Fair Processing: Personal data should only be used legally and fairly. The use of sensitive PI is prohibited unless the data subject gives their consent or it is provided for by existing laws and regulations. Both DC and DP must have consent or a valid reason to process data. They should only collect what they need and not keep it for longer than necessary.
- Purpose Limitation: Data should only be collected for specific reasons. It should not be used in ways that don't match those reasons. Organizations should only keep data as long as they need it for the stated purpose. Section 19 (a) of Rule 4- Data Privacy Principles states, "Data Collection must be for a declared, specified, and legitimate purpose. Consent is required prior to the collection and processing of personal data, subject to exemptions provided by the Act and other applicable laws and regulations. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn." It mentions that only required personal data that is compatible with declared, specified, and legitimate purposes shall be collected.
- Security Measures: Strong security measures should be in place to protect data from unauthorized access, changes, or leaks. The key obligations involve having compliance officers, data protection policies, and secure data processing in place. It focuses on regular reviews and ensuring compliance with guidelines as data privacy best practices. Section 25 of Rule 6, from Security Measures for the Protection of Personal Data, states that "Personal information controllers and personal information processors shall implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data." The strong security measures shall align with the CIA triad (Confidentiality, Integrity, and Accountability) to protect data from accidental/ unlawful destruction, unauthorized access, changes, or leaks.
- Data Breach Management: Organizations need a plan to handle data breaches effectively. Section 38a, Rule 9- Data Breach Notification mentions that organizations should promptly inform the National Privacy Commission (NPC) and affected individuals within 72 hours of the data-breach incident coming into their knowledge if it could harm their rights and privacy. Based on the nature of the incident or notification delays, the commission may investigate the scenarios leading to the data breach by examining the systems and procedures.
- Cross-Border Data Transfer: When sending data outside the Philippines, organizations must ensure the receiving country has similar data protection in place. They should use safeguards like contracts or rules to keep the data safe during the transfer.
PDPA Compliance and Penalties:
Compliance with the Philippines Personal Data Privacy Act (PDPA) is crucial for organizations controlling and processing PI. Failure to comply with the provisions of the PDPA can result in various penalties as mentioned in Chapter VIII- Penalties. Let's look at the table below:
Philippines PDPA Requirements |
Penalties for Non-Compliance |
Section 25: Unauthorized Processing of Personal Information (PI) and Sensitive PI. |
Imprisonment (1-3 years)
Fine: Php2,000,000.00 ≥ Penalty ≥ Php500,000.00
Imprisonment (3-6 years)
Fine: Php4,000,000.00 ≥ Penalty ≥ Php500,000.00 |
Section 26. Accessing PI and Sensitive PI Due to Negligence. |
Imprisonment (1-3 years)
Fine: Php2,000,000.00 ≥ Penalty ≥ Php500,000.00
Imprisonment (3-6 years)
Fine: Php4,000,000.00 ≥ Penalty ≥ Php500,000.00 |
Section 27. Improper Disposal of PI and Sensitive PI. |
Imprisonment (6 months- 2 years)
Fine: Php500,000.00 ≥ Penalty ≥ Php100,000.00
Imprisonment (1-3 years)
Fine: Php1,000,000.00 ≥ Penalty ≥ Php100,000.00 |
Section 28. Processing of PI and Sensitive PI for Unauthorized Purposes. |
Imprisonment (1 year 6 months- 5 years)
Fine: Php1,000,000.00 ≥ Penalty ≥ Php500,000.00
Imprisonment (2-7 years)
Fine: Php2,000,000.00 ≥ Penalty ≥ Php500,000.00 |
Section 29. Unauthorized Access or Intentional Breach. |
Imprisonment (1- 3 years)
Fine: Php2,000,000.00 ≥ Penalty ≥ Php500,000.00 |
Section 30. Concealment of Security Breaches Involving Sensitive PI. |
Imprisonment (1 year 6 months- 5 years)
Fine: Php1,000,000.00 ≥ Penalty ≥ Php500,000.00 |
Section 31. Malicious Disclosure. |
Imprisonment (1 year 6 months- 5 years)
Fine: Php1,000,000.00 ≥ Penalty ≥ Php500,000.00 |
Section 32. Unauthorized Disclosure. |
Imprisonment (1- 3 years)
Fine: Php1,000,000.00 ≥ Penalty ≥ Php500,000.00
Imprisonment (3-5 years)
Fine: Php2,000,000.00 ≥ Penalty ≥ Php500,000.00 |
Improper Data Disposal Can Lead to Penalties in Philippines Data Privacy Act (PDPA):
A crucial aspect for data controllers and data processors for complying with the Philippines Data Privacy Act (PDPA) is understanding section 16 (8e) which refers to the secure disposal of PI after the retention period is over. Physical Security Measures defined by NPC can be referred to understand the Retention and Disposal Procedure for avoiding the penalties and imprisonment as per the act.
The National Privacy Commission (NPC), the agency that enforces DPA has issued some guidelines on securely disposing of personal data. According to NPC, secure disposal means rendering personal data in a form that prevents its reconstruction in whole or in parts. Under Chapter VIII, Section 27 of the Philippines PDPA, penalties for improper disposal of personal and sensitive personal information have been laid.
Data Erasure solutions like BitRaser can be valuable in this regard. By utilizing BitRaser, organizations can securely and efficiently handle data erasure requests raised by individuals and remain compliant by permanently removing sensitive data from data-bearing devices.
Additionally, it offers a comprehensive audit trail. Thereby enabling organizations to maintain proper records of data erasure activities particularly beneficial in demonstrating PDPA compliance during regulatory audits and inspections.
Solutions like BitRaser not only facilitate compliance with data erasure requirements mandated by the law but also minimize the risks of data leaks that can occur when data-bearing devices are disposed of improperly or change hands.
+1-844-775-0101
