DATA PRIVACY ACT

(Republic Act No. 10173)

ATTY. KENNERLY ALBERT R. MALINAO, CPA
UNIVERSITY OF MINDANAO
COLLEGE OF ACCOUNTING EDUCATION
 DECLARATION OF POLICY
• It is the policy of the State to protect the fundamental human
right of privacy of communication while ensuring free flow of
information, to promote innovation and growth.

• The State recognizes the vital role of information and

communication technology in nation-building and its inherent
obligation to ensure that personal information in information
and communication systems in the government and in the
private sector are secured and protected.

ATTY. KENNERLY ABLERT R. MALINAO, CPA 2

 NATIONAL PRIVACY COMMISSION
• The Data Privacy Act (“DPA”) also established a National Privacy
Commission (“NPC”) that enforces and oversees it and is
endowed with rule-making power.
• The NPC is tasked with administering and implementing the
provisions of the DPA.
• The NPC is headed by a Privacy Commissioner, assisted by two
(2) Deputy Commissioners. It is attached to the Department of
Information and Communications Technology (“DICT”), which
itself was only created in 2016 or about 4 years after the
enactment of the DPA.
ATTY. KENNERLY ABLERT R. MALINAO, CPA 3
 CONSTITUTIONAL BASIS OF DPA

• The Right to Information and Communications Privacy is

recognized under Article III, Sec. 3(1) of the 1987 Constitution,
which states:
“The privacy of communication and correspondence shall be
inviolable except upon lawful order of the court, or when public
safety or order requires otherwise, as prescribed by law”.

ATTY. KENNERLY ABLERT R. MALINAO, CPA 4

 SCOPE OF DATA PRIVACY ACT
This Act applies to the processing of all types of personal information
and to any natural and juridical person involved in personal information
processing including those personal information controllers and
processors who, although not found or established in the Philippines,
use equipment that are located in the Philippines, or those who
maintain an office, branch or agency in the Philippines subject to the
immediately succeeding paragraph: Provided, That the requirements of
Section 5 are complied with.
1. It must involve any processing of personal information;
2. By either natural or juridical persons
3. Whether or not found in the Philippines that uses equipment or
maintains an office, branch or agency in the Philippines.
4. Either acting as a controller or processor

ATTY. KENNERLY ABLERT R. MALINAO, CPA 5

 DPA DOES NOT APPLY TO (see Sec. 4, DPA)
1. Information about any individual who is or was an officer or employee of a government institution that relates
to the position or functions of the individual;
2. Information about an individual who is or was performing service under contract for a government institution
that relates to the services performed, including the terms of the contract, and the name of the individual given
in the course of the performance of those services;
3. Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit
given by the government to an individual, including the name of the individual and the exact nature of the
benefit;
4. Personal information processed for journalistic, artistic, literary or research purposes;
5. Information necessary in order to carry out the functions of public authority which includes the processing of
personal data for the performance by the independent, central monetary authority and law enforcement and
regulatory agencies of their constitutionally and statutorily mandated functions.
6. Information necessary for banks and other financial institutions under the jurisdiction of the independent,
central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic
Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
7. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of
those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the
Philippines.
ATTY. KENNERLY ABLERT R. MALINAO, CPA 6
 EXTRATERRITORIAL APPLICATION
This Act applies to an act done or practice engaged in and outside of the Philippines by an
entity if:
1. The act, practice or processing relates to personal information about a Philippine citizen
or a resident;
2. The entity has a link with the Philippines, and the entity is processing personal
information in the Philippines or even if the processing is outside the Philippines as long
as it is about Philippine citizens or residents such as, but not limited to, the following:
1. A contract is entered in the Philippines
2. A juridical entity unincorporated in the Philippines but has central management and control in the
country; and
3. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate
of the Philippine entity has access to personal information; and
3. The entity has other links in the Philippines such as, but not limited to:
1. The entity carries on business in the Philippines; and
2. The personal information was collected or held by an entity in the Philippines. (SEC. 6, DPA)

ATTY. KENNERLY ABLERT R. MALINAO, CPA 7

 WHAT IS PERSONAL INFORMATION?

• Personal information refers to any information whether

recorded in a material form or not, from which the identity of
an individual is:
• Apparent; or
• Can be reasonably and directly ascertained by the entity
holding the information; or
• When put together with other information, would directly
and certainly identify an individual [Sec. 3(g), DPA].

ATTY. KENNERLY ABLERT R. MALINAO, CPA 8

 RULES FOR PROCESSING OF PERSONAL
INFORMATION
Personal information must be:
1. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably
practicable after collection, and later processed in a way compatible with such declared, specified and
legitimate purposes only;
2. Processed fairly and lawfully;
3. Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal
information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or
their further processing restricted;
4. Adequate and not excessive in relation to the purposes for which they are collected and processed;
5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or
for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided
by law; and
6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes
for which the data were collected and processed: Provided, That personal information collected for other
purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may
be stored for longer (Sec. 11, DPA)

ATTY. KENNERLY ABLERT R. MALINAO, CPA 9

WHAT IS SENSITIVE PERSONAL INFORMATION?
Sensitive personal information refers to personal information:
1. About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliation;
2. About an individual’s health, education, genetic or sexual life of a person, or
any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the
sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes,
but not limited to, social security numbers, previous or current health
records, licenses or its denials, suspension or revocation, and tax returns;
and,
4. Specifically established by an executive order or an act of Congress to be
kept classified [Sec. 3(l), DPA].

ATTY. KENNERLY ABLERT R. MALINAO, CPA 10

 RULES FOR THE PROCESSING OF SENSITIVE
PERSONAL INFORMATION
General Rule: The processing of sensitive personal information and
privileged information shall be prohibited.
Exceptions:
1. The data subject has given his or her consent, specific to the purpose
prior to the processing, or in the case of privileged information, all
parties to the exchange have given their consent prior to processing;
2. The processing of the same is provided for by existing laws and
regulations: Provided, That such regulatory enactments guarantee the
protection of the sensitive personal information and the privileged
information: Provided, further, That the consent of the data subjects are
not required by law or regulation permitting the processing of the
sensitive personal information or the privileged information;
3. (for complete list of exemptions, read Sec. 13 of DPA)

ATTY. KENNERLY ABLERT R. MALINAO, CPA 11

 QUESTION
Q: Juan Dela Cruz, a Filipino citizen, filled up a survey form. Such
survey form only asked about his favorite coffee flavors and how much
he spends per week for coffee. The survey also asked for his first name.
Is the survey collecting personal information?
A: No. First name by itself cannot reasonably identify an individual.
Juan cannot be identified from other persons named “Juan”. Neither
does information about his favorite coffee flavors and how much he
spends for coffee even if taken together with his first name cannot be
said to reasonably identify Juan.
Note: However, if the survey asked for his full name, even if there are
more than one (1) Juan Dela Cruz in the Philippines, it is still
considered as collecting personal information.

ATTY. KENNERLY ABLERT R. MALINAO, CPA 12

 QUESTION
Q: Pedro Delos Santos, a Filipino took test for HIV, knowing that it
is free, and no ID was required of him, and out of fear, he filled up
the application form with incorrect information. He purports to be
Juan De Vega who is 25 years old. Is such health information a
sensitive personal information?
A: No. health information such as medical diagnosis or prognosis
by itself is not sensitive personal information unless there is a
Patient ID or name of the patient together with the health
information that be used to trace back to an individual.
Note: BIR, SSS, GSIS, PhilHealth and other government records are
also classified as Sensitive Personal Information..

ATTY. KENNERLY ABLERT R. MALINAO, CPA 13

 WHAT IS PRIVILEGED INFORMATION?

• Privileged Information refers to any and all forms of data which

under the Rules of Court and other pertinent laws constitute
privileged communication.

ATTY. KENNERLY ABLERT R. MALINAO, CPA 14

WHO IS A PERSONAL INFORMATION CONTROLLER?

• The personal information controller (PIC) ensures the implementation

of personal information processing (Sec. 11, DPA).
• It refers to a person or organization who controls the collection,
holding, processing or use of personal information, including a person
or organization who instructs another person or organization to
collect, hold, process, use, transfer or disclose personal information on
his or her behalf. The term exclusdes:
1. A person or organization who performs such functions as instructed by
another person or organization; and
2. An individual who collects, holds, processes or uses personal information in
connection with the individual’s personal, family or household affairs.

ATTY. KENNERLY ABLERT R. MALINAO, CPA 15

WHO IS A PERSONAL INFORMATION PROCESSOR?

• The personal information processor (PIP) refers to any natural or

juridical person qualified to act as such under this Act to whom a
personal information controller may outsource the processing of
personal data pertaining to a data subject.

ATTY. KENNERLY ABLERT R. MALINAO, CPA 16

 WHO IS A DATA SUBJECT?
WHAT IS PROCESSING OF INFORMATION?

• A Data Subject refers to an individual whose personal

information is processed (Sec. 3c, DPA).
• Processing of information refers to any operation or any set of
operations performed upon personal information including, but
not limited to the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.

ATTY. KENNERLY ABLERT R. MALINAO, CPA 17

WHAT ARE THE RIGHTS OF A DATA SUBJECT?
The data subject is entitled to:
1. Information – Be informed whether personal information pertaining
to him or her shall be, are being or have been processed;
2. Be furnished the information indicated hereunder before the entry
of his or her personal information into the processing system of the
personal information controller, or at the next practical opportunity;
3. Access – Reasonable access to, upon demand to his information;
4. Rectification – Dispute the inaccuracy or error in the personal
information and have the personal information controller correct it
immediately and accordingly, unless the request is vexatious or
otherwise unreasonable.

ATTY. KENNERLY ABLERT R. MALINAO, CPA 18

WHAT ARE THE RIGHTS OF A DATA SUBJECT?
The data subject is entitled to:
5. Erasure/Blocking/Objection – Suspend, withdraw or order the
blocking, removal or destruction of his or her personal
information from the personal information controller’s filing
system upon discovery and substantial proof that the personal
information are incomplete, outdated, false, unlawfully
obtained, used for unauthorized purposes or are no longer
necessary for the purposes for which they were collected.
6. Indemnification – Be indemnified for any damages sustained
due to such inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal information. (SEC.
16, DPA)
ATTY. KENNERLY ABLERT R. MALINAO, CPA 19
 ARE THE RIGHTS OF THE DATA SUBJECT
TRANSMISSIBLE?

Yes, the lawful heirs and assigns of the data subject may invoke the
rights of the data subject for, which he or she is an heir or assignee
at any time after the death of the data subject or when the data
subject is incapacitated or incapable of exercising the rights as
enumerated in the immediately preceding section. (SEC. 17, DPA)

ATTY. KENNERLY ABLERT R. MALINAO, CPA 20

 WHAT IS THE RIGHT TO DATA PORTABILITY?
The data subject shall have the right, where personal information
is processed by electronic means and in a structured and
commonly used format, to obtain from the personal information
controller a copy of data undergoing processing in an electronic or
structured format, which is commonly used and allows for further
use by the data subject.

The Commission may specify the electronic format referred to

above, as well as the technical standards, modalities and
procedures for their transfer. (SEC. 18, DPA)

ATTY. KENNERLY ABLERT R. MALINAO, CPA 21

 QUESTION
Q: Atty. X faces suspension from the practice of law for his ‘Facebook posts
maligning and insulting’ the complainant, a famous beauty doctor who
counted local movie stars as clients. His defense was that his Facebook page
had restricted access to ‘Friends Only.’ Is his argument tenable?
A: No. The Court did not accept the lawyer’s argument that the statements
were private since he had restricted access to the page to ‘Friends Only,’
further observing that ‘even if the Court were to accept the [lawyer’s]
allegation that his posts were limited to or viewable by his ‘Friends’ only,
there is no assurance that the same […] will be safeguarded as within the
confines of privacy.’ It noted the social media platform’s goal of allowing ‘the
world to be more open and connected […] in every conceivable way,’ the
implied message being that a person who shares information on social media
shouldn’t be surprised or angry if that information actually does get shared.
(Belo-Henares v. Guevarra, AC No. 11394, dated 1 December 2016.)

ATTY. KENNERLY ABLERT R. MALINAO, CPA 22