Philippine Data Privacy Act: A Beginner’s Guide

In the Philippines, privacy is a fundamental human right.

The Philippine Data Privacy Act of 2012, also known as Republic Act 10173, was created to protect this fundamental human right and make organisations accountable for the personal data individuals have entrusted to them. This Data Privacy Act applies to the processing of all types of personal information, and covers individuals and organisations involved in the processing of personal information in the Philippines.

The DPA also created the National Privacy Commission (NPC), an independent body that implements the Data Privacy Act to ensure compliance of both the public and private sector. The NPC published the Implementing Rules and Regulations (IRR) for the Philippine Data Privacy Act in 2016, as well as several Circulars, which support the DPA and adopt international standards and practices in data protection.

Data Protection Act of Philippine at a Glance

The Philippine Data Privacy Act is based on four General Data Privacy Principles – Transparency, Legitimate Purpose, Proportionality, and Accountability. These principles should govern the way organisations collect, use, and store personal data.

Transparency entails organisations being clear with data subjects, or an individual whose personal information is being processed, about the purpose of collection and processing of personal data.

Personal information controllers should also have a legitimate purpose for processing. This means that data should be processed fairly and lawfully. The purpose of data processing should fall under one of these criteria to be legitimate – to comply with a legal obligation, to perform a contract obligation, to protect the vital interest of the data subject, to protect public interest, to fulfil a legitimate business interest, or if the data subject has given his consent.

Proportionality, on the other hand, prohibits Personal Information Controllers and Processors (PICs and PIPs) from excessive collection, processing, and storage of data. Personal data must be used only according to the declared purpose.

PICs and PIPs demonstrate accountability for the data entrusted to them by implementing measures to secure the data, by retaining data only for as long as is necessary, and by governing data sharing with third parties and data transfer arrangements.

The Eight Rights Under the Data Privacy Act (DPA) of the Philippines

Aside from these four general principles, the Data Privacy Act also specifies eight rights of data subjects. Organisations should ensure that these rights are upheld as they collect, use, and store the personal data of their customers or employees. These right rights include:

1.  The right to be informed

Data subjects should be informed that their personal data will be collected, processed, stored. Consent should be obtained when necessary.

2.  The right to access

Data subjects have the right to obtain a copy of the personal information that an organisation may possess about them.

3.  The right to object

Data subjects can object to processing if it is based on consent or legitimate business interest.

4.  The right to erasure or blocking

Data subjects have the right to withdraw or order the removal of their personal data when their rights are violated.

5.  The right to damages