PNP Training Lineal List Rules

Applies to all personal data processing by natural or juridical persons in government or private sector.
Covers processing done inside or outside the Philippines with links to the country.
Exempts certain public sector information, journalistic activities, research purposes, and law enforcement functions.
Requires minimum processing for exempt information and emphasizes protection of data subject rights.
Provides special protection to journalists and their confidential sources.

Independent regulatory body administering and implementing the Act.
Functions include rule-making, advisory services, public education, compliance monitoring, complaints adjudication, and enforcement.
Authority to issue administrative orders, conduct investigations, and impose sanctions.
Structure includes Privacy Commissioner (head), Deputy Commissioners, and Secretariat with specialized offices.
Confidentiality duty imposed on Commission personnel even after termination of service.

Processing allowed only with adherence to transparency, legitimate purpose, and proportionality.
Collection must be for declared, specified, and lawful purposes with consent where required.
Personal data must be accurate, adequately safeguarded, and retained no longer than necessary.
Authorized further processing allowed for historical, statistical or scientific purposes with safeguards.
Data sharing governed by consent, legal authorization, and agreements with safeguards.

Processing personal information lawful if consented by data subject or under specified exceptions (contract, legal obligation, vital interest, public safety, public authority mandate, or legitimate interests not overriding rights).
Processing sensitive personal or privileged information generally prohibited except by consent, legal provisions, medical treatment, public interest, or for legal claims.
Extends protection to privileged communication and regulates surveillance and interception to comply with data privacy standards.

Controllers and processors must implement reasonable organizational, physical, and technical security measures.
Organizational security includes designating compliance officers, data protection policies, record-keeping, employee supervision, and contract compliance.
Physical security involves access controls, secure office design, disposal procedures, and safeguards against disasters.
Technical security entails network protection, system resilience, encryption, access control, and regular testing.
Security levels tailored to data nature, processing risk, and organizational factors.

Agency heads responsible for securing sensitive personal information.
Access to sensitive data limited to authorized personnel with security clearance.
Strict regulation of on-site and online access; off-site access must be approved with encryption and accountability.
Applies similar standards to government contractors handling sensitive data.

Rights to be informed, object, access, rectify, erase/block personal data, and claim damages.
Right to data portability in structured electronic formats.
Rights transmissible to heirs or assigns upon incapacity or death of data subject.
Limits on rights for scientific research or investigations to the minimum necessary.

Controllers must notify the Commission and affected data subjects within 72 hours of a breach involving sensitive or identity-fraud enabling information.
Notification includes breach nature, affected data, mitigation steps, and contact persons.
Delays only allowed to assess breach scope or protect investigations.
Commission may exempt or postpone notification in public interest.
Detailed reporting and documentation of breaches required.

Processing may be outsourced with safeguards ensured by binding contracts.
Contracts must specify purpose, nature, duration, obligations and rights, confidentiality, security measures, audit rights, and restrictions on subcontracting.
Personal information processors must comply with law and contractual duties.

Personal data processing systems involving sensitive data of 1,000+ individuals must be registered.
Automated decision-making systems affecting data subjects must be notified.
Commission reviews compliance, agreements, data sharing, and reported violations.

Controllers accountable for data under their control including data outsourced or transferred.
Must ensure comparable protection by processors and designate accountable officers.
Violations entail administrative sanctions, fines, indemnities, or criminal prosecution.

Penalties include imprisonment and substantial fines for unauthorized processing, negligent access, improper disposal, unauthorized purposes, unauthorized access and breaches, concealment of breaches, malicious or unauthorized disclosures.
Enhanced penalties for large-scale offenses, public officers, corporations, and aliens.
Commission may order restitution and impose fines or bans on processing.