Question & AnswerQ&A (NPC IRR OF Republic Act No. 10173)
They are known as the Implementing Rules and Regulations of the Data Privacy Act of 2012.
The Rules enforce the Data Privacy Act, uphold the fundamental right to privacy, ensure free flow of information for growth and development, and recognize the role of information and communications technology in nation-building.
An individual whose personal, sensitive personal, or privileged information is processed.
They apply to processing of personal data by any natural or juridical person in the government or private sector, including acts done outside the Philippines under specific conditions related to presence, citizenship, residency, or business links.
Information related to public access about public officials, contractual services for government, financial benefits conferred by government, journalistic/artistic/literary purposes, research for public benefit, and lawful public authority functions are exempt to the minimum extent necessary.
Transparency, legitimate purpose, and proportionality, ensuring that processing is fair, lawful, necessary, and not excessive.
When consent is obtained, it is necessary to fulfill a contract, comply with legal obligation, protect vital interests, comply with public order, fulfill constitutional or statutory mandate, or pursue legitimate interests not overridden by data subject rights.
Imprisonment of three to six years and a fine from Five hundred thousand pesos (Php500,000) up to Four million pesos (Php4,000,000).
Rights to be informed, to object, to access, to rectification, to erasure or blocking, and to damages for violations.
To administer and implement the Data Privacy Act, monitor compliance, enforce laws, issue rules and administrative issuances, adjudicate complaints, and promote public education on data privacy.
Within seventy-two (72) hours from knowledge or reasonable belief that a personal data breach requiring notification has occurred.
Reasonable and appropriate organizational, physical, and technical security measures to maintain availability, integrity, and confidentiality and prevent unlawful processing, access, alteration, or destruction.
They are individuals designated to ensure compliance with data privacy and security laws within a personal information controller or processor.
They must register their personal data processing system with the Commission and comply with the same requirements as government agencies, including security and confidentiality obligations.
Processing is prohibited except with consent, lawful authorization, necessity to protect life or health, for bona fide organizational purposes, medical treatment, or legal proceedings, with adequate safeguards.
The personal information controller must stop processing unless it is necessary for legal obligations, contractual necessities, or subpoena requirements.
Personal information controllers and processors shall register within one (1) year from the effectivity of these Rules; extensions may be granted for good cause.
The personal information controller remains accountable and must ensure reasonable safeguards and comparable protection under the law during processing by third parties.
Profiling is automated processing of personal data used to evaluate or predict personal aspects such as work performance, economic situation, health, preferences, behavior, or movements.
Disclosure or transfer of personal data under the custody of a personal information controller to a third party upon instructions; it excludes outsourcing to a personal information processor.