Question & AnswerQ&A (IRR OF Republic Act No. 10173)
The title is the Implementing Rules and Regulations of the Data Privacy Act of 2012, or the Rules.
To enforce the Data Privacy Act and adopt international principles and standards for personal data protection, safeguarding the right to privacy while ensuring the free flow of information for innovation and national development.
The National Privacy Commission (NPC) is the independent body mandated to administer, implement, and ensure compliance with the Act and international standards for data protection.
A natural or juridical person or body who controls the processing of personal data or instructs another to process personal data on its behalf, excluding those who only process data for personal or household affairs or under instruction without control.
It applies to processing of personal data by any natural or juridical person in government or private sector, including acts done outside the Philippines if related to Philippine citizens, residents, or entities with links to the Philippines.
Information processed for public access related to government officials' functions, journalistic, artistic or literary purposes, research for public benefit, law enforcement functions, and certain financial transactions are exempted to the minimum extent necessary.
Rights include the right to be informed, to object, to access, to rectification, to erasure/blocking, to damages, and the right to data portability, among others.
Unauthorized processing of personal info is punishable by 1 to 3 years imprisonment and fines of PHP 500,000 to 2 million. For sensitive personal info, 3 to 6 years imprisonment and fines of PHP 500,000 to 4 million apply.
Processing is lawful when the data subject consents, for contract fulfillment, legal obligations, protection of vital interests, national emergency, government mandates, or legitimate interests not overridden by data subject rights.
They must implement reasonable organizational, physical, and technical security measures to protect personal data, including compliance officers, data protection policies, access management, monitoring, encryption, and secure disposal of data.