Republic Act No.

10173
The Data Privacy Act 2012

I. Definitions of Data

1. Personal Data
Personal information  refers to any information whether recorded in a material form or not, from
which the identity of an individual is apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together with other information would directly and
certainly identify an individual.1

2. Sensitive Data
Sensitive personal information refers to personal information:
a. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical
or political affiliations;
b. About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such person, the
disposal of such proceedings, or the sentence of any court in such proceedings;
c. Issued by government agencies peculiar to an individual which includes, but not limited to,
social security numbers, previous or cm-rent health records, licenses or its denials,
suspension or revocation, and tax returns; and
d. Specifically established by an executive order or an act of Congress to be kept classified. 2

II. Obligations as a Data Collector, Controller & Processor

1. Data Collector
Personal information must be collected for specified and legitimate purposes determined and
declared before, or as soon as reasonably practicable after collection, and later processed in a
way compatible with such declared, specified and legitimate purposes only. 3

  Rights of the data subject that must be observed by the data collector
The data subject is entitled to:
a. be informed whether personal information pertaining to him or her shall be, are being or have
been processed; and
b. be furnished the information indicated hereunder before the entry of his or her personal
information into the processing system of the personal information controller, or at the next
practical opportunity:
1) Description of the personal information to be entered into the system;
2) Purposes for which they are being or are to be processed;
3) Scope and method of the personal information processing;
4) The recipients or classes of recipients to whom they are or may be disclosed;
5) Methods utilized for automated access, if the same is allowed by the data subject, and
the extent to which such access is authorized;
6) The identity and contact details of the personal information controller or its
representative;
7) The period for which the information will be stored; and
8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a
complaint before the Commission.

Any information supplied or declaration made to the data subject on these matters shall not be
amended without prior notification of data subject: Provided, That the notification under
subsection (b) shall not apply should the personal information be needed pursuant to a

1
Section 3 (g), Data Privacy Act of 2012
2
Section 3 (l), Data Privacy Act of 2012
3
Section 11 (a) Data Privacy Act of 2012
 subpoena or when the collection and processing are for obvious purposes, including when it is
necessary for the performance of or in relation to a contract or service or when necessary or
desirable in the context of an employer-employee relationship, between the collector and the data
subject, or when the information is being collected and processed as a result of legal obligation. 4

2. Data Controller
Personal information controller refers to a person or organization who controls the collection,
holding, processing or use of personal information, including a person or organization who
instructs another person or organization to collect, hold, process, use, transfer or disclose
personal information on his or her behalf. The term excludes:
a. A person or organization who performs such functions as instructed by another person or
organization; and
b. An individual who collects, holds, processes or uses personal information in connection with
the individual’s personal, family or household affairs. 5

General data privacy principles to be observed by the personal information controller

The personal information controller must ensure implementation of the following personal
information processing principles. Personal information must be:
a. Collected for specified and legitimate purposes determined and declared before, or as soon
as reasonably practicable after collection, and later processed in a way compatible with such
declared, specified and legitimate purposes only;
b. Processed fairly and lawfully;
c. Accurate, relevant and, where necessary for purposes for which it is to be used the
processing of personal information, kept up to date; inaccurate or incomplete data must be
rectified, supplemented, destroyed or their further processing restricted;
d. Adequate and not excessive in relation to the purposes for which they are collected and
processed;
e. Retained only for as long as necessary for the fulfillment of the purposes for which the data
was obtained or for the establishment, exercise or defense of legal claims, or for legitimate
business purposes, or as provided by law; and
f. Kept in a form which permits identification of data subjects for no longer than is necessary for
the purposes for which the data were collected and processed: Provided, That personal
information collected for other purposes may lie processed for historical, statistical or
scientific purposes, and in cases laid down in law may be stored for longer periods:  Provided,
further, That adequate safeguards are guaranteed by said laws authorizing their processing. 6

Responsibility of the data controller when subcontracting the processing of information

The personal information controller shall be responsible for ensuring that proper safeguards are
in place to ensure the confidentiality of the personal information processed, prevent its use for
unauthorized purposes, and generally, comply with the requirements of this Act and other laws for
processing of personal information.7

Obligation of the data controller when an error in the personal information has been
corrected
If the personal information have been corrected, the personal information controller shall ensure
the accessibility of both the new and the retracted information and the simultaneous receipt of the
new and the retracted information by recipients thereof: Provided, That the third parties who have
previously received such processed personal information shall he informed of its inaccuracy and
its rectification upon reasonable request of the data subject. 8

4
Section 16, Data Privacy Act of 2012
5
Section 3 (h), Data Privacy Act of 2012
6
Section 11, Data Privacy Act of 2012
7
Section 14, Data Privacy Act of 2012
8
Section 16 (d), Data Privacy Act of 2012
 Obligation of the data controller in maintaining the security of personal information
a. The personal information controller must implement reasonable and appropriate
organizational, physical and technical measures intended for the protection of personal
information against any accidental or unlawful destruction, alteration and disclosure, as well
as against any other unlawful processing.
b. The personal information controller shall implement reasonable and appropriate measures to
protect personal information against natural dangers such as accidental loss or destruction,
and human dangers such as unlawful access, fraudulent misuse, unlawful destruction,
alteration and contamination.
c. The determination of the appropriate level of security under this section must take into
account the nature of the personal information to be protected, the risks represented by the
processing, the size of the organization and complexity of its operations, current data privacy
best practices and the cost of security implementation. Subject to guidelines as the
Commission may issue from time to time, the measures implemented must include:
1) Safeguards to protect its computer network against accidental, unlawful or unauthorized
usage or interference with or hindering of their functioning or availability;
2) A security policy with respect to the processing of personal information;
3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach; and
4) Regular monitoring for security breaches and a process for taking preventive, corrective
and mitigating action against security incidents that can lead to a security breach.

d. The personal information controller must further ensure that third parties processing personal
information on its behalf shall implement the security measures required by this provision.
e. The employees, agents or representatives of a personal information controller who are
involved in the processing of personal information shall operate and hold personal information
under strict confidentiality if the personal information are not intended for public disclosure.
This obligation shall continue even after leaving the public service, transfer to another
position or upon termination of employment or contractual relations.
f. The personal information controller shall promptly notify the Commission and affected data
subjects when sensitive personal information or other information that may, under the
circumstances, be used to enable identity fraud are reasonably believed to have been
acquired by an unauthorized person, and the personal information controller or the
Commission believes (bat such unauthorized acquisition is likely to give rise to a real risk of
serious harm to any affected data subject. The notification shall at least describe the nature of
the breach, the sensitive personal information possibly involved, and the measures taken by
the entity to address the breach. Notification may be delayed only to the extent necessary to
determine the scope of the breach, to prevent further disclosures, or to restore reasonable
integrity to the information and communications system.
1) In evaluating if notification is unwarranted, the Commission may take into account
compliance by the personal information controller with this section and existence of good
faith in the acquisition of personal information.
2) The Commission may exempt a personal information controller from notification where, in
its reasonable judgment, such notification would not be in the public interest or in the
interests of the affected data subjects.
3) The Commission may authorize postponement of notification where it may hinder the
progress of a criminal investigation related to a serious breach. 9

Responsibilities of the data controller while personal information under its custody is
being processed by a third party
Each personal information controller is responsible for personal information under its control or
custody, including information that have been transferred to a third party for processing, whether
domestically or internationally, subject to cross-border arrangement and cooperation.

9
Section 20, Data Privacy Act of 2012
 a. The personal information controller is accountable for complying with the requirements of this
Act and shall use contractual or other reasonable means to provide a comparable level of
protection while the information are being processed by a third party.
b. The personal information controller shall designate an individual or individuals who are
accountable for the organization’s compliance with this Act. The identity of the individual(s) so
designated shall be made known to any data subject upon request. 10

3. Data Processor
Personal information processor refers to any natural or juridical person qualified to act as such
under this Act to whom a personal information controller may outsource the processing of
personal data pertaining to a data subject.11

Criteria for the lawful processing of personal information that must be followed by data
processors
The processing of personal information shall be permitted only if not otherwise prohibited by law,
and when at least one of the following conditions exists:
a. The data subject has given his or her consent;
b. The processing of personal information is necessary and is related to the fulfillment of a
contract with the data subject or in order to take steps at the request of the data subject prior
to entering into a contract;
c. The processing is necessary for compliance with a legal obligation to which the personal
information controller is subject;
d. The processing is necessary to protect vitally important interests of the data subject, including
life and health;
e. The processing is necessary in order to respond to national emergency, to comply with the
requirements of public order and safety, or to fulfill functions of public authority which
necessarily includes the processing of personal data for the fulfillment of its mandate; or
f. The processing is necessary for the purposes of the legitimate interests pursued by the
personal information controller or by a third party or parties to whom the data is disclosed,
except where such interests are overridden by fundamental rights and freedoms of the data
subject which require protection under the Philippine Constitution. 12

III. Consent requirements

1. Definition of Consent
Consent of the data subject refers to any freely given, specific, informed indication of will,
whereby the data subject agrees to the collection and processing of personal information about
and/or relating to him or her. It may also be given on behalf of the data subject by an agent
specifically authorized by the data subject to do so. 13

2. Evidence of Consent
Consent shall be evidenced by written, electronic or recorded means. 14

10
Section 21, Data Privacy Act of 2012
11
Section 3 (i), Data Privacy Act of 2012
12
Section 12, Data Privacy Act of 2012
13
Section 3 (b), Data Privacy Act of 2012
14
Section 3 (b), Data Privacy Act of 2012