SyCip Salazar Hernandez & Gatmaitan
What law(s) specifically govern personal data / information?
The Philippines has enacted the Data Privacy Act of 2012 (“DPA”), which applies to the collection and processing of personal data by any natural or juridical/legal person.
What are the key data protection principles in this jurisdiction?:
The following are the key data protection principles under the DPA:
Principle of Transparency – Data subjects are essentially required to be made aware of the nature, purpose, and extent of the processing of their personal data.
Principle of Legitimate Purpose – The processing of personal information must be in accordance with a declared and specified purpose that is not contrary to law, morals, or public policy.
Principle of Proportionality – The processing of personal information must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
What is the supervisory authority / regulator in charge of data protection?
The National Privacy Commission or “NPC”.
Is there a requirement to register with a supervisory authority / regulator?
Yes. Subject to meeting certain criteria, personal information controllers (“PIC”) and personal information processors (“PIP”) covered by the DPA are required to register their data processing systems with the NPC.
This involves providing the NPC with the following information or documents:
- Details of the PIC or PIP, the Head of Agency or Organization, and the Data Protection Officer (“DPO”):
- Name and contact details of the PIC or PIP, Head of Agency or Organization, and DPO as well as the designated Compliance Officer for Privacy, if any, with supporting documents
- A unique and official email address specific to the position of the DPO of the PIC or PIP, and not with the person who is the DPO
- Primary purpose of the private entity.
- Brief description of the Data Processing System:
- Name of the system;
- Basis for the processing of information;
- Purpose or purposes of the processing;
- Whether processing is performed as a PIC or PIP, if an organization uses the same system as a PIC and as a PIP, then the organization shall register such usage separately;
- Whether the system is outsourced or subcontracted, and if so, the name and contact details of the PIP;
- Description of the category or categories of data subjects, and their personal data or categories thereof;
- Recipients or categories of recipients to whom the personal data might be disclosed;
- Description of security measures (organizational, physical, and technical)
- Whether personal data is transferred outside of the Philippines; and
- The existence of Data Sharing Agreements with other parties.
- Identification of all publicly facing online mobile or web-based applications, including internal apps with PIC or PIP employees as clients
- Notification regarding any automated decision-making operation or profiling
The NPC may require the payment of reasonable fees for registration. Registration must be renewed annually.
Is there a requirement to notify the supervisory authority / regulator?
Yes. A PIC or PIP that carries out any automated decision-making, operation or profiling shall indicate in its registration record and identify the data processing involved in the automated decision-making or profiling operation. Notification regarding automated decision-making and profiling shall be included in the registration information that will be provided by a PIC or PIP, or through amendments or updates to such registration information.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes. The NPC launched its online registration system on February 3, 2023. The NPC Registration System (“NPCRS”) is an online platform that provides a secure and seamless portal for both government and private organizations to register their data processing systems with the NPC. The NPCRS may be accessed here https://npcregistration.privacy.gov.ph/login.
What are the key data subject rights under the data protection laws of this jurisdiction?
Under the DPA, data subjects have the following rights:
- Right to be informed;
- Right to object;
- Right to access;
- Right to rectification;
- Right to erasure or blocking;
- Right to damages;
- Right to data portability;
- Right to lodge a complaint with the NPC; and
- Transmissibility of rights as a data subject to the latter’s lawful heirs and assigns.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes. All PICs and PIPs covered by the DPA are required to appoint a data protection officer
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes. The conduct of a privacy impact assessment to identify risks in the processing of personal data may be included in the organization’s security incident management policy which include measures intended to prevent or minimize the occurrence of a personal data breach. The conduct and structure of the privacy impact assessment shall consider the size and sensitivity of the personal data being processed, the impact and likely harm of a personal data breach.
Does this jurisdiction have any specific data breach notification requirements?
The PIC (not the PIP) is required to notify the NPC, as well as the affected data subjects, within 72 hours upon knowledge of or when there is reasonable belief that a personal data breach has occurred under the following circumstances:
- The personal data involves sensitive personal information or any other information that may be used to enable identity fraud.
- There is reason to believe that the information may have been acquired by an unauthorized person and the PIC or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
What restrictions apply to the international transfer of personal data / information?
In general, there are no restrictions specifically on cross-border data transfers. However, transfer of data would be viewed as processing under the DPA. Thus, requirements applicable to processing of personal data would apply.
Principally, there would be a need for a lawful basis for the transfer, such as consent of the data subject. Further, while there is no express requirement to advise data subjects that their data will be processed outside the Philippines, local laws require PICs to advise data subjects of the categories of recipients of the data. It is considered best practice to advise data subjects if the data will be processed outside the Philippines.
If the transfer constitutes outsourcing (controller to processor), the transfer must be covered by an outsourcing agreement. If the transfer constitutes data sharing (controller to controller), a data sharing agreement (“DSA”) may be executed. While a DSA is not mandatory, its execution is highly encouraged by the NPC and is viewed by the NPC as sound practice.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the DPA specifically provides for extraterritorial application.
The extraterritorial application of the DPA is triggered when the personal data involved relates to a Philippine citizen or resident or when the act, practice or processing of personal data is done or is engaged in by an entity with other links to the Philippines, such as, but not limited to, use of equipment located in the Philippines, entering a contract in the Philippines, or maintaining a branch office or subsidiary in the Philippines while providing access to personal data to the parent or affiliate entity.
What rules specifically deal with marketing?
Activities involved in direct marketing may constitute collection and processing of personal information, and thus, will require the marketer, in its capacity as PIC, to comply with the DPA, including adherence to the data privacy principles of transparency, legitimate purpose, and proportionality. The marketer must have a legitimate purpose for the processing of personal data.
In case the processing does not fall under any of the criteria enumerated under the DPA, consent given by the data subject should ideally be the basis of lawful processing of personal information for marketing purposes.
The processing may be lawful even without the consent of the data subject when the marketing material promoted specifically pertains to that of the entity from which the data subject has previously received a related product or service, and such marketing activity will not involve the processing of sensitive personal information.
Do different rules apply to business-to-business and business-to-consumer marketing?
No, the DPA does not provide for different rules on business-to-business and business-to-consumer marketing.
However, the requirements of the DPA will only apply in cases where personal information of individuals is involved. Thus, to the extent that the business-to-business marketing will not involve the collection and processing of personal information of individuals, the DPA will not apply.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
There are no rules specifically dealing with electronic marketing, i.e., the data protection rules on marketing, whether electronic or otherwise, are the same.
What rules specifically deal with cookies?
There are no rules specifically dealing with cookies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The DPA prescribes the imposition of criminal liability for certain acts that violate the rights of data subjects, including the collection, processing, or disclosure of personal data without consent or processing of personal data for unauthorized purposes.
The NPC may impose administrative fines and penalties, which could include the award of damages, and the issuance of enforcement and compliance orders, cease and desist orders, or temporary and permanent ban on the processing of personal data.
If the offender is a juridical/legal entity, the penalty prescribed by the DPA will be imposed upon the responsible officers who participated in, or by their gross negligence, allowed the commission of the crime.
For criminal offences, the court may impose imprisonment ranging from 18 months to 7 years and a fine ranging from PhP500,000 up to PhP5 million (approximately USD 10,000 up to USD 100,000).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Multinationals collecting and processing personal information of Philippine citizens or residents, even without being located in the Philippines, are subject to the requirements of the DPA as the DPA has extraterritorial effect.
Aside from the requirement to implement data protection measures (which are usual in other jurisdictions), the DPA also requires PICs and PIPs covered by the law to implement data outsourcing agreements that contain certain provisions which ensure the adequate protection of personal data. These provisions include the requirements (i) to comply with the DPA, (ii) to impose a duty of confidentiality on those granted with access to data, (iii) to implement appropriate security measures, and (iv) to delete or return personal data upon termination of the contract. In case of data sharing, execution of a DSA is considered best practice.
What upcoming data protection developments should multinational organisations be aware of?
With the launch of the NPCRS and the effectivity of NPC Circular No. 2022-04 which took effect on 11 January 2023, PICs and PIPs who are covered by mandatory registration have 180 days or until 10 July 2023 to comply. All PICs and PIPs are directed to create an account, through its DPO, and register Data Processing Systems.
The NPC will no longer accept new registration, amendments, and renewal of registration except through the NPCRS portal. Submission through email, personal filing, ordinary mail, licensed courier service and other mode of physical submission shall not be considered valid.
All Certificates of Registration with effective dates until 8 March 2023 are extended to 10 July 2023. PICs and PIPs holding old Certificates of Registration bearing a different effective date shall not be considered registered.