SyCip Salazar Hernandez & Gatmaitan
The following law(s) specifically govern personal data / information:
The Philippines has enacted the Data Privacy Act of 2012 (DPA), which applies to the collection and processing of personal data by any natural or juridical person.
The key data protection principles in this jurisdiction are:
The following are the key data protection principles under the DPA:
- Principle of Transparency – Data subjects are essentially required to be made aware of the nature, purpose, and extent of the processing of their personal data.
- Principle of Legitimate Purpose – The processing of personal information must be in accordance with a declared and specified purpose that is not contrary to law, morals, or public policy.
- Principle of Proportionality – The processing of personal information must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
The supervisory authority / regulator in charge of data protection is:
The National Privacy Commission or NPC.
Is there a requirement to register with a supervisory authority / regulator?
Yes. Subject to meeting certain criteria, personal information controllers and personal information processors covered by the DPA are required to register their data processing systems with the NPC.
This involves providing the NPC with the following information or documents:
- name and contact details of the head of the organization and the data protection officer;
- constitutive document (e.g. Articles of Incorporation, or Articles of Partnership), if a juridical entity;
- documentary evidence showing the appointment of the data protection officer;
- identification of all existing policies relating to data governance, data privacy, and information security and other documents that provide a general description of privacy and security measures for data protection;
- brief description of data processing systems; and
- attestation regarding certifications obtained relevant to personal data processing.
The registration requirement does not involve the payment of a fee, but the registration must be renewed annually.
Is there a requirement to notify the supervisory authority / regulator?
Is it possible to register with / notify the supervisory authority / regulator online?
The NPC online registration platform is not yet operational and is expected to be launched within 2021.
The key data subject rights under the data protection laws of this jurisdiction are:
Under the DPA, data subjects have the following rights:
- Right to be informed;
- Right to object;
- Right to access;
- Right to rectification;
- Right to erasure or blocking;
- Right to damages;
- Right to data portability;
- Right to lodge a complaint with the NPC; and
- Transmissibility of rights as a data subject to the latter’s lawful heirs and assigns.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes. All personal information controllers and processors covered by the DPA are required to appoint a data protection officer in all circumstances.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
All personal information controllers and processors covered by the DPA are required to regularly conduct data protection impact assessments in all circumstances.
Does this jurisdiction have any specific data breach notification requirements?
The personal information controller (not the processor) is required to notify the NPC, as well as the affected data subjects, within 72 hours upon knowledge of or when there is reasonable belief that a personal data breach has occurred under the following circumstances:
- The personal data involves sensitive personal information or any other information that may be used to enable identity fraud.
- There is reason to believe that the information may have been acquired by an unauthorized person and the personal information controller or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
The following restrictions apply to the international transfer of personal data / information:
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the DPA specifically provides for extraterritorial application.
The extraterritorial application of the DPA is triggered when the personal data involved relates to a Philippine citizen or resident or when the act, practice or processing of personal data is done or is engaged in by an entity with other links to the Philippines, such as, but not limited to, use of equipment located in the Philippines, entering a contract in the Philippines, or maintaining a branch office or subsidiary in the Philippines while providing access to personal data to the parent or affiliate entity.
The following rules specifically deal with marketing:
Direct marketing that will involve collection and processing of personal information will require the marketer to obtain the separate, informed, and specific consent of the individual.
The exception is when the marketing material promoted specifically pertain to that of the entity from which the individual has previously availed a related product or service and such marketing activity will not involve the processing of sensitive personal information.
Do different rules apply to business-to-business and business-to-consumer marketing?
No, the DPA does not provide for different rules when it comes to marketing.
However, we do note that the requirements of the DPA will only apply in case personal information of individuals will be involved. Thus, in case business-to-business marketing will not involve the collection and processing of personal information, then the DPA will not apply.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
There are no rules specifically dealing with electronic marketing, i.e. the data protection rules on marketing, whether electronic or not, are the same.
The following rules specifically deal with cookies:
There are no rules specifically dealing with cookies.
The consequences of non compliance with data protections laws (including marketing laws) are:
The DPA prescribes the imposition of criminal liability for certain acts that violate the rights of data subjects, including the collection, processing, or disclosure of personal data without consent or processing of personal data for unauthorized purposes.
The NPC may impose administrative fines and penalties, which could include the imposition of damages, and the issuance of enforcement and compliance orders, cease and desist orders, or temporary and permanent ban on the processing of personal data.
If the offender is a juridical entity, the penalty prescribed by the DPA will be imposed upon the responsible officers who participated in, or by their gross negligence, allowed the commission of the crime.
For criminal offenses, the court may impose imprisonment ranging from 18 months to 7 years and a fine ranging from PhP500,000 up to PhP 5 million (approximately, USD 10,000 up to USD 100,000).
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Multinationals collecting and processing personal information of Philippine citizens or residents, even without being located in the Philippines, are subject to the requirements of the DPA as the DPA has extraterritorial effect.
Aside from the requirement to implement data protection measures (which are usual in other jurisdictions), the DPA also requires personal information controllers and processors covered by the law to implement data sharing agreements or data outsourcing agreements that contain certain provisions, which ensure the adequate protection of personal data. These provisions include the requirements to (i) comply with the DPA, (ii) impose a duty of confidentiality on those granted with access to data, (iii) implement appropriate security measures, and (iv) to delete or return personal data upon termination of the contract.
Multinational organisations should be aware of the following upcoming data protection developments:
The Philippines has recently joined the APEC Cross Border Privacy Rules (CBPR) System, which is a certification program that companies can join to demonstrate compliance with internationally recognized data privacy protections.
The Philippines is expected to appoint an accountability agent in the coming months that will be tasked to independently assess and certify the compliance of Philippine companies under the APEC CBPR System.