Title
Data Privacy Act of 2012 summary
Law
Republic Act No. 10173
Decision Date
Aug 15, 2012
The Data Privacy Act of 2012 in the Philippines establishes regulations and safeguards for the protection of personal information, ensuring its fair and lawful processing while granting individuals rights and imposing penalties for unauthorized access or disclosure.
data privacy
personal information
regulations

Policy and declared protections

  • The State protects the fundamental human right of privacy and communication while ensuring free flow of information to promote innovation and growth (Section 2).
  • The State recognizes the vital role of information and communications technology in nation-building and its obligation to secure and protect personal information in information and communications systems in both the government and the private sector (Section 2).

Core definitions established

  • “Commission” means the National Privacy Commission created under the Act (Section 3(a)).
  • “Consent of the data subject” means any freely given, specific, informed indication of will agreeing to collection and processing, evidenced by written, electronic or recorded means, and may be given by an authorized agent (Section 3(b)).
  • “Data subject” means an individual whose personal information is processed (Section 3(c)).
  • “Direct marketing” means communication directed to particular individuals for advertising or marketing material (Section 3(d)).
  • “Filing system” means structured information set (even without automatic equipment processing) structured by reference to individuals or criteria so specific information about a person is readily accessible (Section 3(e)).
  • “Information and Communications System” means systems for generating, sending, receiving, storing, or otherwise processing electronic data messages or electronic documents, including related computers/devices and procedures (Section 3(f)).
  • “Personal information” means any information from which identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (Section 3(g)).
  • “Personal information controller” controls collection, holding, processing, or use of personal information, including instructing another to process on its behalf, but excludes instructed processors and individuals processing in personal/family/household affairs (Section 3(h)).
  • “Personal information processor” means any natural or juridical person qualified to act as such under the Act to whom a controller may outsource processing (Section 3(i)).
  • “Processing” means any operation or set of operations performed upon personal information, including collection, storage, updating, retrieval, consultation, use, blocking, erasure or destruction (Section 3(j)).
  • “Privileged information” means privileged communication under the Rules of Court and other pertinent laws (Section 3(k)).
  • “Sensitive personal information” includes defined categories: data on race/ethnic origin/marital status/age/color/religious/philosophical/political affiliations; health/education/genetic/sexual life; proceedings for offenses and related court outcomes; government-issued identifiers (including social security numbers, previous/current health records, licenses or denials/suspensions/revocations, and tax returns); and data specifically established by executive order or Act of Congress to be classified (Section 3(l)).

Coverage: application and exemptions

  • The Act applies to processing of all types of personal information and to any natural and juridical person involved in personal information processing, including controllers/processors not found or established in the Philippines, if they use equipment located in the Philippines, or maintain an office/branch/agency in the Philippines, subject to compliance with Section 5 (Section 4).
  • The Act does not apply to personal information about a government officer or employee that relates to position or functions, including: the fact of employment, title, business address and office telephone number, classification/salary range/responsibilities, and the name of the individual on documents prepared in the course of employment (Section 4(a)).
  • The Act does not apply to information about an individual performing service under contract for a government institution that relates to the services performed, including the contract terms and the name given during those services (Section 4(b)).
  • The Act does not apply to information relating to discretionary financial benefits granted by the government, including the individual’s name and the exact nature of the benefit (Section 4(c)).
  • The Act does not apply to personal information processed for journalistic, artistic, literary or research purposes (Section 4(d)).
  • The Act does not apply to information necessary to carry out functions of public authority, including processing by the independent central monetary authority and law enforcement and regulatory agencies for their constitutionally and statutorily mandated functions, and it declares that it shall not amend or repeal specified secrecy/credit laws (Section 4(e)).
  • The Act does not apply to information necessary for banks and other financial institutions under Bangko Sentral ng Pilipinas jurisdiction to comply with the Credit Information System Act (Republic Act No. 9510), the Anti-Money Laundering Act (Republic Act No. 9160) as amended, and other applicable laws (Section 4(f)).
  • The Act does not apply to personal information originally collected from residents of foreign jurisdictions in accordance with those foreign jurisdictions’ laws, including applicable data privacy laws, and being processed in the Philippines (Section 4(g)).

Journalists’ source protection

  • Nothing in the Act amends or repeals Republic Act No. 53, which protects publishers/editors/duly accredited reporters from being compelled to reveal the source of news reports or information related in confidence (Section 5).

Extraterritorial application rules

  • The Act applies to acts or practices engaged in outside the Philippines by an entity if they relate to personal information about a Philippine citizen or resident (Section 6(a)).
  • The Act applies extraterritorially when the entity has a link with the Philippines and processes in the Philippines or outside the Philippines as long as it is about Philippine citizens or residents, including: a contract entered in the Philippines; central management and control in the Philippines by an unincorporated juridical entity; or a branch/agency/office/subsidiary in the Philippines with Philippine parent/affiliate access to personal information (Section 6(b)).
  • The Act applies extraterritorially where the entity has other links in the Philippines, including carrying on business in the Philippines and collection/holding of personal information in the Philippines (Section 6(c)).

National Privacy Commission: structure and powers

  • The Act creates an independent body, the National Privacy Commission (Commission), to administer and implement the Act and to monitor compliance with international data protection standards (Section 7).
  • The Commission ensures compliance by personal information controllers (Section 7(a)).
  • The Commission receives complaints, initiates investigations, facilitates settlement through alternative dispute resolution, adjudicates matters affecting personal information, awards indemnity, prepares reports on dispositions/resolutions, and may publicize reports in cases it deems appropriate (Section 7(b)).
  • In resolving complaints or investigations (except amicable settlement), the Commission acts as a collegial body, and it may access personal information subject of a complaint and collect information needed for its functions (Section 7(b)).
  • The Commission may issue cease and desist orders and impose a temporary or permanent ban on processing when processing will be detrimental to national security and public interest (Section 7(c)).
  • The Commission may compel or petition entities, government agencies, or instrumentalities to abide by its orders or take action affecting data privacy (Section 7(d)).
  • The Commission monitors other government agencies’ security and technical measures and recommends actions to meet minimum standards (Section 7(e)).
  • The Commission coordinates with other government agencies and the private sector on strengthening plans and policies for data protection (Section 7(f)).
  • The Commission publishes (1) a regular guide to all laws relating to data protection and (2) a compilation of agency system of records and notices, including index and finding aids (Section 7(g)-(h)).
  • The Commission recommends to the Department of Justice (DOJ) the prosecution and imposition of penalties under Sections 25 to 29 (Section 7(i)).
  • The Commission reviews, approves, rejects, or requires modification of privacy codes voluntarily adhered to by controllers, requiring adherence to underlying data privacy principles; privacy codes may include private dispute resolution mechanisms; the Commission consults relevant regulatory agencies; and the Commission may require changes to comply with the Act (Section 7(j)).
  • The Commission provides assistance on privacy/data protection matters at the request of national/local agencies, private entities, or any person (Section 7(k)).
  • The Commission issues advisory opinions, interprets the Act and other data privacy laws, and comments on implications of proposed statutes/regulations/procedures (Section 7(l)).
  • The Commission coordinates with foreign data privacy regulators and private accountability agents, participates in international/regional initiatives, and negotiates/crafts contracts with other data privacy authorities for cross-border application and implementation (Section 7(n)-(o)).
  • The Commission assists Philippine companies doing business abroad to respond to foreign privacy/data protection laws (Section 7(p)).
  • The Commission performs acts necessary to facilitate cross-border enforcement of data privacy protection (Section 7(q)).
  • The Commission must ensure confidentiality of any personal information that comes to its knowledge and possession (Section 8).
  • The Commission is attached to the Department of Information and Communications Technology (DICT) and is headed by a Privacy Commissioner acting as Chairman, assisted by two (2) Deputy Privacy Commissioners: one for Data Processing Systems and one for Policies and Planning (Section 9).
  • The Privacy Commissioner and Deputies are appointed by the President for a term of three (3) years and may be reappointed for another term of three (3) years; vacancies are filled the same way as original appointments (Section 9).
  • The Privacy Commissioner must be at least thirty-five (35) years old, of good moral character, unquestionable integrity and known probity, and a recognized expert in IT and data privacy; the position enjoys benefits/emoluments equivalent to the rank of Secretary (Section 9).
  • The Deputy Privacy Commissioners must be recognized experts in information and communications technology and data privacy; they enjoy benefits/emoluments equivalent to the rank of Undersecretary (Section 9).
  • The Privacy Commissioner/Deputies (or persons acting on their behalf or under their direction) are not civilly liable for acts done in good faith in performance of duties; they are liable for willful or negligent acts contrary to law, morals, public policy and good customs even if done under orders of superiors (Section 9).
  • If a lawsuit is filed for lawful performance, the official is reimbursed by the Commission for reasonable costs of litigation (Section 9).
  • The Commission may establish a Secretariat; majority must have served at least five (5) years in government agencies involved in processing personal information, including enumerated agencies (Section 10).

Data processing principles and lawful grounds

  • Personal information processing is allowed only if the controller complies with the Act and other laws allowing disclosure and adheres to transparency, legitimate purpose, and proportionality (Section 11).
  • Personal information must be collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed only in ways compatible with those purposes (Section 11(a)).
  • Personal information must be processed fairly and lawfully (Section 11(b)).
  • Personal information must be accurate, relevant, and kept up to date; inaccurate/incomplete data must be rectified, supplemented, destroyed, or further processing restricted (Section 11(c)).
  • Personal information processing must be adequate and not excessive in relation to purposes (Section 11(d)).
  • Personal information must be retained only as long as necessary for fulfillment of purposes, for establishment/exercise/defense of legal claims, for legitimate business purposes, or as provided by law (Section 11(e)).
  • Personal information must be kept in a form permitting identification of data subjects no longer than necessary for purposes (Section 11(f)).
  • Personal information collected for historical, statistical, or scientific purposes may be processed for longer periods, and storage for longer periods may be done where laws authorize, with adequate safeguards guaranteed by such laws (Section 11(f)).
  • The personal information controller must ensure implementation of the data privacy principles in Section 11 (Section 11).
  • Processing is permitted only if not otherwise prohibited by law and when at least one lawful condition exists (Section 12).
  • Processing is lawful when the data subject gives consent (Section 12(a)).
  • Processing is lawful when necessary for performance of a contract with the data subject, or to take steps at the request of the data subject prior to entering into a contract (Section 12(b)).
  • Processing is lawful when necessary for compliance with a legal obligation of the controller (Section 12(c)).
  • Processing is lawful when necessary to protect vitally important interests of the data subject, including life and health (Section 12(d)).
  • Processing is lawful to respond to national emergency, comply with public order and safety requirements, or fulfill functions of public authority that necessarily includes processing for the mandate (Section 12(e)).
  • Processing is lawful when necessary for legitimate interests pursued by the controller or a third party, except when those interests are overridden by data subject fundamental rights and freedoms under the Philippine Constitution (Section 12(f)).

Sensitive and privileged information rules

  • The processing of sensitive personal information and privileged information is prohibited except in enumerated cases (Section 13).
  • Processing is allowed with data subject consent specific to the purpose prior to processing; for privileged information, all parties to the exchange must give consent prior to processing (Section 13(a)).
  • Processing is allowed when provided for by existing laws and regulations that guarantee protection and when consent of data subjects is not required by law or regulation permitting the processing (Section 13(b)).
  • Processing is allowed to protect life and health when the data subject is not legally or physically able to express consent prior to processing (Section 13(c)).
  • Processing is allowed for lawful and noncommercial objectives of public organizations and their associations, restricted to bona fide members, not transferred to third parties, with data subject consent obtained prior to processing (Section 13(d)).
  • Processing is allowed for medical treatment when carried out by a medical practitioner or medical treatment institution and an adequate level of protection is ensured (Section 13(e)).
  • Processing is allowed when necessary for protection of lawful rights and interests in court proceedings, or for establishment/exercise/defense of legal claims, or when provided to government or public authority (Section 13(f)).
  • A personal information controller may subcontract processing, provided the controller remains responsible for ensuring safeguards, preventing unauthorized use, and compliance with the Act and other laws, while the personal information processor complies with all requirements (Section 14).
  • A controller may invoke privileged communication for privileged information it lawfully controls or processes; evidence gathered on privileged information is inadmissible subject to existing laws and regulations (Section 15).

Data subject rights and remedies

  • The data subject is entitled to be informed whether personal information pertaining to him or her shall be, are being, or have been processed (Section 16(a)).
  • Before entry of personal information into the processing system, or at the next practical opportunity, the data subject must be furnished:
    • description of the personal information,
    • purposes,
    • scope and method of processing,
    • recipients or classes of recipients,
    • methods for automated access where allowed by the data subject and the extent of authorized access,
    • identity and contact details of the controller or representative,
    • period of storage,
    • existence of rights (access, correction, and right to lodge a complaint before the Commission) (Section 16(b)).
  • Any information supplied or declaration made to the data subject under Section 16(b) must not be amended without prior notification, except when personal information is needed pursuant to a subpoena or when collection and processing are for obvious purposes, including contract/service contexts or in employer-employee relationship, or when collection/processing is due to legal obligation (Section 16(b)).
  • The data subject is entitled to reasonable access, upon demand, to specified information including contents, sources, recipients, manner of processing, reasons for disclosure, automated processes that will or likely to be the sole basis for significantly affecting decisions, date of last access/modified, and designation/name/address of the controller (Section 16(c)).
  • The data subject may dispute inaccuracy or error and demand immediate correction unless the request is vexatious or otherwise unreasonable; if corrected, the controller must ensure accessibility of both new and retracted information and simultaneous receipt by recipients, and third parties previously receiving the data must be informed of inaccuracy and rectification upon reasonable request (Section 16(d)).
  • Upon discovery and substantial proof that personal information is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for purposes, the data subject may suspend/withdraw/block/remove/destroy the personal information; the controller may notify third parties previously receiving the data (Section 16(e)).
  • The data subject is entitled to indemnification for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information (Section 16(f)).
  • Lawful heirs and assigns may invoke data subject rights after the data subject’s death or when incapacitated/incapable of exercising rights under Section 16 (Section 17).
  • The data subject has a right to data portability: obtain a copy of data undergoing processing in an electronic or structured format commonly used and allowing further use by the data subject, when processed by electronic means in a structured and commonly used format; the Commission may specify electronic format and technical standards/modality/procedures for transfer (Section 18).
  • The rights in the immediately preceding sections do not apply when processed personal information is used only for scientific and statistical research with no activities carried out and no decisions made regarding the data subject, with strict confidentiality and use only for declared purpose (Section 19).
  • The immediately preceding rights also do not apply to processing gathered for investigations relating to criminal, administrative or tax liabilities of a data subject (Section 19).

Security obligations and breach notification

  • The personal information controller must implement reasonable and appropriate organizational, physical and technical measures to protect personal information against accidental or unlawful destruction, alteration, disclosure, and other unlawful processing (Section 20(a)).
  • Controllers must implement measures to protect against natural dangers (accidental loss/destruction) and human dangers (unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination) (Section 20(b)).
  • The appropriate security level must take into account the nature of personal information, risks of processing, organization size/complexity, current best practices, and cost; subject to Commission guidelines, measures must include safeguards for the computer network, a security policy, a process to identify and access reasonably foreseeable vulnerabilities and take preventive/corrective/mitigating action for security incidents leading to breach, and regular monitoring with preventive/corrective/mitigating actions (Section 20(c)).
  • Controllers must ensure third parties processing on their behalf implement the security measures required by Section 20 (Section 20(d)).
  • Employees/agents/representatives involved in processing must keep personal information under strict confidentiality if not intended for public disclosure, and this obligation continues after leaving public service, transfer, termination of employment, or termination of contractual relations (Section 20(e)).
  • Controllers must promptly notify the Commission and affected data subjects when sensitive personal information or other information that may enable identity fraud is reasonably believed to have been acquired by an unauthorized person, and controller/Commission believes this unauthorized acquisition is likely to give rise to a real risk of serious harm; notification must describe breach nature, sensitive personal information possibly involved, and measures taken (Section 20(f)).
  • Notification may be delayed only to determine breach scope, prevent further disclosures, or restore reasonable integrity of the information and communications system (Section 20(f)).
  • The Commission may exempt a controller from notification when, in reasonable judgment, notification would not be in public interest or in the interests of affected data subjects (Section 20(f)(2)).
  • The Commission may authorize postponement of notification where it may hinder a criminal investigation related to a serious breach (Section 20(f)(3)).
  • In evaluating whether notification is unwarranted, the Commission may consider controller compliance with Section 20 and existence of good faith in acquisition (Section 20(f)(1)).

Accountability for transfers

  • Each personal information controller is responsible for personal information under its control or custody, including information transferred to a third party for processing domestically or internationally, subject to cross-border arrangement and cooperation (Section 21).
  • The controller must comply with the Act and use contractual or other reasonable means to provide a comparable level of protection while information is processed by a third party (Section 21(a)).
  • The controller must designate an individual or individuals accountable for organizational compliance; the identity of designated individual(s) must be made known to any data subject upon request (Section 21(b)).

Government handling of sensitive information

  • Heads of agencies must secure all sensitive personal information maintained by government agencies and instrumentalities using the most appropriate standard recognized by the information and communications technology industry and as recommended by the Commission; the Commission monitors compliance and may recommend actions to satisfy minimum standards (Section 22).
  • Except as allowed by guidelines issued by the Commission, no government employee may access sensitive personal information on government property or through online facilities unless the employee has received a security clearance from the head of the source agency (Section 23(a)).
  • Except as allowed by Commission guidelines, sensitive personal information may not be transported or accessed off government property unless a request is submitted and approved by the head of the agency under specified rules (Section 23(b)).
  • When a request is submitted to the head of an agency, the head must approve or disapprove within two (2) business days; if there is no action, the request is considered disapproved (Section 23(b)(1)).
  • If approved, the head must limit access to not more than one thousand (1,000) records at a time (Section 23(b)(2)).
  • Off-site access approved technology must use the most secure encryption standard recognized by the Commission (Section 23(b)(3)).
  • The requirements of Section 23(b) must be implemented not later than six (6) months after the date of enactment of the Act (Section 23).
  • For contracts involving access to or requiring sensitive personal information from one thousand (1,000) or more individuals, an agency must require the contractor and its employees to register their personal information processing system with the Commission and comply with the Act, including the immediately preceding security access section, in the same manner agencies and government employees comply (Section 24).

Criminal penalties for violations

  • Unauthorized processing of personal information is punishable by imprisonment of one (1) year to three (3) years and a fine of not less than PHP 500,000 but not more than PHP 2,000,000 for processing without data subject consent or without authorization under the Act or existing law (Section 25(a)).
  • Unauthorized processing of sensitive personal information is punishable by imprisonment of three (3) years to six (6) years and a fine of not less than PHP 500,000 but not more than PHP 4,000,000 for processing without data subject consent or without authorization under the Act or existing law (Section 25(b)).
  • Accessing personal information due to negligence is punishable by imprisonment of one (1) year to three (3) years and a fine of not less than PHP 500,000 but not more than PHP 2,000,000 (Section 26(a)).
  • Accessing sensitive personal information due to negligence is punishable by imprisonment of three (3) years to six (6) years and a fine of not less than PHP 500,000 but not more than PHP 4,000,000 (Section 26(b)).
  • Improper disposal of personal information is punishable by imprisonment of six (6) months to two (2) years and a fine of not less than PHP 100,000 but not more than PHP 500,000 when knowingly or negligently disposing/discarding/abandoning personal information in an area accessible to the public or placing it in a container for trash collection (Section 27(a)).
  • Improper disposal of sensitive personal information is punishable by imprisonment of one (1) year to three (3) years and a fine of not less than PHP 100,000 but not more than PHP 1,000,000 under the same conduct standards (Section 27(b)).
  • Processing personal information for unauthorized purposes is punishable by imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than PHP 500,000 but not more than PHP 1,000,000 (Section 28(a)).
  • Processing sensitive personal information for unauthorized purposes is punishable by imprisonment of two (2) years to seven (7) years and a fine of not less than PHP 500,000 but not more than PHP 2,000,000 (Section 28(a)).
  • Unauthorized access or intentional breach: breaking into any system where personal and sensitive personal information is stored knowingly and unlawfully (including violation of data confidentiality and security data systems) is punishable by imprisonment of one (1) year to three (3) years and a fine of not less than PHP 500,000 but not more than PHP 2,000,000 (Section 29).
  • Concealment of security breaches involving sensitive personal information after knowledge of a security breach and the notification obligation is punishable by imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than PHP 500,000 but not more than PHP 1,000,000 (Section 30).
  • Malicious disclosure by any controller/processor or its officials/employees/agents who, with malice or bad faith, discloses unwarranted or false personal or sensitive personal information is punishable by imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than PHP 500,000 but not more than PHP 1,000,000 (Section 31).
  • Unauthorized disclosure to a third party:
    • disclosure of personal information not covered by Section 31 without data subject consent is punishable by imprisonment of one (1) year to three (3) years and a fine of not less than PHP 500,000 but not more than PHP 1,000,000 (Section 32(a));
    • disclosure of sensitive personal information not covered by Section 31 without data subject consent is punishable by imprisonment of three (3) years to five (5) years and a fine of not less than **PHP

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms