Contributed by Ocampo & Suralvo Law Offices (the Philippine collaborating firm of DFDL)
Last updated September 2016
- National Legislation
- National Regulatory Authority
- Personal Data
- Sensitive Personal Data
- Scope of Application
- Rights of Data Subjects
- Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
- National Legislation
- Marketing by E-mail
- Marketing by Telephone
- Marketing by Fax
General | Data Protection Laws ____________________________________________________________
General data protection laws
Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “Data Privacy Act”). The Implementing Rules and Regulations of the Data Privacy Act (“IRR”) were promulgated on 24 August 2016.
Entry into force
The Data Privacy Act was signed into law on 15 August 2012 and came into effect on 8 September 2012. The IRR came into effect on 9 September 2016.
National Regulatory Authority
Details of the competent national regulatory authority
The National Privacy Commission (the “Commission”). The Commission is attached to the Department of Information and Communications Technology.
The Commission was constituted in March 2016 with the first two of three commissioners sworn into office on 7 March 2016.
Notification or registration scheme and timing
The IRR requires personal information controllers and personal information processors to register with the Commission if they employee 250 or more persons. Registration is also required by personal information controllers or personal information processors that employ fewer than 250 persons if: (i) the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects; (ii) the processing is not occasional; or (iii) the processing includes sensitive personal information of at least 1,000 individuals.
In addition, the IRR requires personal information controllers to make a notification of automated processing operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject.
The IRR sets out the contents of registration or notification, which includes information such as the purposes of the processing, the categories of data subject, the security measures in place for data protection and any proposed transfers of personal data outside the Philippines.
Appointment of a data protection officer
The personal information controller must designate an individual or individuals who are accountable for the organisation’s compliance with the Data Privacy Act. The identity of the individual(s) so designated must be made known to any data subject upon request.
What is personal data?
Both the Data Privacy Act and the IRR define “personal information” as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Is information about legal entities personal data?
What are the rules for processing personal data?
In general, the Data Privacy Act and the IRR allow the processing of personal data subject to: (i) compliance with the requirements of the Data Privacy Act and other laws allowing disclosure of information to the public; and (ii) adherence to the principles of transparency, legitimate purpose and proportionality. The IRR describes these three principles more specifically.
The general principles of the Data Privacy Act and the IRR require personal data to be: (i) collected for declared, specific and legitimate purposes and only processed in a way compatible with such purposes; (ii) processed fairly and lawfully; (iii) accurate, relevant and, where necessary, kept up to date; (iv) adequate and not excessive; (v) retained only for as long as necessary, for the fulfilment of the declared, specified and legitimate purpose or as needed for legal claims or legitimate business purposes, or as provided by law; (vi) kept in a form which permits identification of data subjects for no longer than is necessary; and (vii) disposed of securely to prevent further processing or prejudice to the interests of the data subjects.
The processing of personal information shall only be permitted if at least one of the following conditions exists: (i) the data subject has given consent; (ii) the processing of personal information is necessary for a contract with the data subject or to take steps at the request of the data subject prior to entering into a contract; (iii) the processing is necessary for compliance with a legal obligation; (iv) the processing is necessary to protect vitally important interests of the data subject, including their life and health; (v) the processing is necessary in relation to a national emergency, public order and safety, or to fulfil functions of a public authority; or (vi) the processing is necessary for the personal information controller or recipient’s legitimate interests, except where overridden by the fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
The IRR contains controls on data sharing (which does not including data sharing as part of an outsourcing). Data sharing shall be allowed: (i) when it is expressly authorized by law provided there are adequate safeguards for data privacy and security, and processing adheres to principles of transparency, legitimate purpose and proportionality; (ii) in the private sector, if the data subject consents to it and specific conditions are complied with, including executing data sharing agreements in cases of data sharing for commercial purposes, such as direct marketing. These restrictions on data sharing expressly apply to intra-group data sharing.
The Data Privacy Act contains a number of exceptions. It does not apply to personal information originally collected from residents of foreign jurisdictions which is being processed in the Philippines. Other miscellaneous exemptions include the processing of personal information: (i) about government employees acting in an official capacity; (ii) about those contracting with government or obtaining government licences or benefits; (iii) for journalistic, artistic, literary or research purposes; (iv) to carry out the functions of a public authority; and (v) to comply with money laundering and other financial rules.
Are there any formalities to obtain consent to process personal data?
Consent must be a freely-given, specific, informed indication of the data subject’s will. It must be evidenced by written, electronic or recorded means.
What is sensitive personal data?
The Data Privacy Act and the IRR define sensitive personal information as personal information: (i) about an individual’s race, ethnic origin, marital status, age, colour, religious, philosophical or political affiliations, health, education, genes or sexual life, or offences or alleged offences relating to that individual; and (ii) issued by government agencies peculiar to an individual which includes social security numbers, health records, licences and tax returns.
Specific protection is also given to information that is subject to legal privilege.
Further classes of sensitive personal information can be identified by an executive order or an act of Congress.
Are there additional rules for processing sensitive personal data?
In general, the processing of sensitive personal information and privileged information is prohibited except where: (i) the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing; (ii) the processing is provided for by existing laws and regulations; (iii) the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not able to give consent; (iv) the processing is carried out for limited non-commercial purposes by public organisations and their associations; (v) the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or (vi) the processing is necessary for court proceedings or legal claims, or is provided to the government or a public authority.
Are there any formalities to obtain consent to process sensitive personal data?
The same formalities as those required for the processing of personal information apply. However, consent must be specific to the purpose and given by the data subject prior to the processing of the sensitive personal information. In the case of privileged information, the consent must come from all the parties to the exchange of privileged information.
What is the territorial scope of application?
The Data Privacy Act and the IRR apply to information controllers and processors established in the Philippines. They apply to the processing of personal data by any natural and juridical person in the government or private sector.
The Data Privacy Act also applies to entities established outside of the Philippines if certain links exist to the Philippines. For example, where: (i) the processing relates to personal information about a Philippine citizen or a resident; (ii) the entity has a link with the Philippines (such as a contract entered into in the Philippines or a branch or agency in the Philippines) and the entity is processing personal information about Philippine citizens or residents; or (iii) the entity has other links such as a business in the Philippines or where it collects and holds personal information in the Philippines.
Who is subject to data protection legislation?
The Data Privacy Act places accountability on the “personal information controller” for personal information under its control or custody, including information that has been transferred to a third party for processing.
The Data Privacy Act also applies to “personal information processors” to whom a personal information controller may outsource the processing of personal data.
Are both manual and electronic records subject to data protection legislation?
The Data Privacy Act applies to both manual and electronic records. The law and the IRR states that it covers information whether recorded in material form or not.
Data subjects are entitled to an indemnity for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorised use of personal information. Pursuant to the exercise of its quasi-judicial functions, the Commission shall award an indemnity to an aggrieved party on the basis of the provisions of the Philippine Civil Code.
Fair processing information
Data subjects should be provided with the following information prior to their personal information being added to a processing system or at the next practical opportunity: (i) a description of the personal information to be entered into the system; (ii) the purposes of processing; (iii) the scope and method of the personal information processing; (iv) the recipients; (v) automatic means to access the personal information; (vi) the identity and contact details of the personal information controller or its representative; (vii) the period for which the information will be stored; (viii) the existence of their rights; and (ix) the basis of processing, when the processing is not based on the consent of the data subject.
This information does not have to be provided where personal information is disclosed pursuant to a subpoena, where the collection and processing are for obvious purposes, or where the information is being collected and processed as a result of a legal obligation.
Finally, the data sharing principles require that the data subject is provided with certain information prior to collection or before data is shared, including the identity of the personal information controllers or processors that will be given access to the personal data, the purpose of data sharing and other related information.
Rights to access information
The data subject is entitled to reasonable access to: (i) the contents of the personal information that was processed; (ii) the sources of the personal information; (iii) the names and addresses of recipients; (iv) the manner by which the personal information was processed; (v) the reasons for the disclosure of the personal information to recipients; (vi) information on automated decision processes; (vii) the date when his or her personal information concerning the data subject was last accessed and modified; and (viii) the designation, name or identity and address of the personal information controller.
Objection to direct marketing
The Data Privacy Act defines direct marketing as communication by whatever means of any advertising or marketing material which is directed to particular individuals. The IRR explicitly states that the data subject has the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared data.
The data subject is also entitled to object to unauthorised use of their personal information and to have inaccurate or incorrect personal information corrected in some cases.
There are also rights to data portability. Where personal information is processed by electronic means and in a structured and commonly used format, the data subject has a right to obtain the personal information in that format.
The rights of the data subject are transmissible to their heirs and assigns at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising his rights.
Security requirements in order to protect personal data
The personal information controller must implement reasonable and appropriate organisational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. This should protect against natural dangers and human dangers.
The determination of the appropriate level of security must take into account: (i) the nature of the personal information to be protected; (ii) the risks represented by the processing; (iii) the size of the organisation and complexity of its operations; (iv) current data privacy best practices; and (v) the cost of security implementation.
The IRR set out specific security requirements in three areas: (i) organisational measures, including the appointment of compliance officers, adoption of suitable policies and use of suitable contracts with personal information processors; (ii) physical measures, including physical access controls, building design and destruction policies; and (iii) technical security measures, including encryption and intrusion detection.
Specific rules governing processing by third party agents (processors)
The personal information controller must ensure that third parties processing personal information on its behalf shall also implement these security measures.
The IRR require a contract or other legal act to be in place that requires the personal information processor to: (i) only process personal data on the instructions of the personal information controller; (ii) ensure those accessing personal data keep it confidential; (iii) implement appropriate security measures; (iv) not engage another processor without the personal information controller’s prior instruction; (v) assist the personal information controller when data subjects exercise their rights; (vi) assist the personal information controller to comply with the Data Privacy Act and the IRR; (vii) at the choice of the personal information controller, return or destroy personal data at the end of the contract; (viii) demonstrate compliance to the personal information controller and submit to audits; and (ix) inform the personal information controller if their instructions conflict with the Data Privacy Act and the IRR.
The employees, agents or representatives of a personal information controller who are involved in the processing of personal information must keep it confidential unless it is intended for public disclosure.
Notice of breach laws
Under the Data Privacy Act and its IRR, the Commission and affected data subjects must be notified of a personal data breach where: (i) it is reasonably believed that an unauthorized person has acquired sensitive personal information or any other information that enables identity fraud; and (ii) the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
The notification must be made within seventy-two (72) hours. Notification may be delayed where necessary to determine the scope of the breach, prevent further data breaches and secure the underlying system. The Commission may also authorise the postponement of notification where it may hinder criminal investigations related to a serious breach. The Commission may exempt the personal information controller from notifying data subjects where: (i) it would not be in the public interest or in the interests of data subjects; or (ii) the controller has complied with the security requirements and acquired the personal information in good faith.
The notification shall describe the nature of the breach, the personal data possibly involved, and the measures taken by the entity to address the breach.
Depending on the nature of the incident, or if there is delay or failure to notify, the Commission may investigate the circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures.
Under the IRR, a report summarising documented security incidents and personal data breaches shall be provided to the Commission annually.
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
Transfers to third countries are permissible under the Data Privacy Act.
However, each personal information controller is responsible for personal information under its control or custody, including information that has been transferred to a third party for processing overseas. The personal information controller must use contractual or other reasonable means to provide a comparable level of protection for personal information processed by a third party.
Notification and approval of national regulator (including notification of use of Model Contracts)
Use of binding corporate rules
The Data Privacy Act does not contain the concept of binding corporate rules.
Breach of the law is punishable by imprisonment for up to seven (7) years and monetary penalties of up to five (5) million pesos (approximately EUR 100,000). If the offender is a legal person, the penalty shall also be imposed upon responsible officers if the breach is as a result of their participation or gross negligence.
If the offender is an alien, he or she shall be deported without further proceedings after serving the penalties prescribed.
The Commission has the power to receive and settle complaints, institute investigations and award compensation. The Commission can prepare and publish reports on any investigation it initiates.
The Commission is newly constituted and the IRR have only been recently issued. No sanction has been issued to date.
The Commission may issue cease and desist orders and impose a ban on the processing of personal information, if the processing is detrimental to national security and public interest.
The Commission cannot prosecute breaches of the Data Privacy Act itself although it may recommend that the Department of Justice bring a prosecution.
ePrivacy | Marketing and cookies _____________________________________________________________
Online privacy is dealt with mainly by Republic Act No. 10175, known as the Cybercrime Prevention Act of 2012 (“Cybercrime Prevention Act”). The Cybercrime Prevention Act protects computer data and systems, including prohibiting violations of an individual’s rights to online privacy.
Certain administrative rules also cover electronic privacy issues, particularly direct marketing and cookies. This includes: (i) the Insurance Commission Circular Letter No. 2014-47 of the 2014 Guidelines on Electronic Commerce of Insurance Products (“Insurance E-Commerce Guidelines”); (ii) NTC Memorandum Circular No. 03-03-2005A, as amended by Memorandum Circular No. 04-07-2009 (“Broadcast Messaging Service Rules”); and (iii) the “Consumer Act” and the Department of Trade and Industry Administrative Order No. 2-93 of Rules and Regulations Implementing Republic Act No. 7394 on the Consumer Act (“Consumer Act Rules”).
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
Under the Insurance E-Commerce Guidelines, insurance providers shall not transmit marketing e-mails to consumers without their consent, except when insurance providers have an existing relationship with them. An existing relationship is not established by consumers simply visiting the insurance providers' website. Any marketing e-mail messages that insurance providers send shall prominently display a return e-mail address and shall provide in plain language a simple procedure by which consumers can notify insurance providers that they do not wish to receive such messages.
The Broadcast Messaging Service Rules cover commercial and promotional advertisements, surveys and other messages sent via broadcast/push messaging service. Under the Broadcast Messaging Service Rules, content and/or information service providers are not allowed to send and/or initiate push messages unless the subscriber asks for them by communicating with the provider through written correspondence, text messaging, internet, or other similar means of communication. Moreover, commercial and promotional advertisements, surveys and other broadcast messages shall be allowed only upon prior written consent by the subscribers.
Conditions for direct marketing by e-mail to corporate subscribers
The Insurance E-Commerce Guidelines protect consumers which they define as individuals or legal persons engaged in commercial activity. The Broadcast Messaging Service Rules apply to both individual and corporate subscribers.
Exemptions and other issues
The Consumer Act Rules contain specific rules on the contents of any direct marketing, including requiring the disclosure of details of the seller, relevant terms and conditions and payment information. These rules only apply when dealing with consumers who are natural persons.
The Cybercrime Prevention Act makes unsolicited commercial electronic marketing communications a cybercrime, unless: (i) there is a prior affirmative consent from the recipient; (ii) the primary intent of the communication is to provide a service and/or administrative announcements to existing customers; or (iii) the communication does not disguise the sender, does not include misleading information and allows the recipient to opt out. However, in 2014, the Philippine Supreme Court, while upholding other provisions of the Cybercrime Prevention Act, struck down as unconstitutional the provision on unsolicited commercial communications for violating a person’s right to freedom of expression.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The Consumer Act also deals with home solicitation sales which include solicitation by telephone.
Business entities conducting home solicitation sales of any consumer product or service must obtain a permit from the Department of Trade and Industry. In addition: (i) home solicitation sales may be conducted only between 9am and 7pm unless otherwise agreed; (ii) home solicitation sales shall only be conducted by a person who has the proper identification and authority from his principal; (iii) sales generated from home solicitation sales shall be properly receipted; and (iv) there must be no misrepresentation, for example that the consumer has been specially selected or that the purpose of the call is for a survey or research.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
These conditions do not apply to corporate subscribers.
Exemptions and other issues
The Consumer Act Rules contain specific rules on the contents of any direct marketing (see above).
Conditions for direct marketing by fax to individual subscribers
The same conditions apply as for direct marketing by telephone.
Conditions for direct marketing by fax to corporate subscribers
These conditions do not apply to corporate subscribers.
Exemptions and other issues
The Consumer Act Rules contain specific rules on the contents of any direct marketing (see above).