Preliminary Provisions, Data Privacy Law

Preliminary Provisions, Data Privacy Law

Concept What is data privacy? Data privacy is not defined in R.A. 10161 or the Data Privacy Act of 2012, neither in the Implementing Rules and Regulations (IRR), or current NPC issuances. Instead, we will use the following definition from IBM writers: “Data privacy” or “information privacy” – refers to “the principle that a person…

Rules on accountability, Data Privacy Law

Rules on accountability, Data Privacy Law

1. Accountability for Transfer of Personal Data 1) A personal information controller shall be responsible for any personal data under its control or custody, including information that have been outsourced or transferred to a personal information processor or a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation. (Section 50,…

Registration and compliance requirements, Data Privacy Law

Registration and compliance requirements, Data Privacy Law

1. Enforcement of the Data Privacy Act Pursuant to the mandate of the Commission to administer and implement the Act, and to ensure the compliance of personal information controllers with its obligations under the law, the Commission requires the following: a. Registration of personal data processing systems operating in the country that involves accessing or…

Outsourcing and subcontracting agreements, Data Privacy Law

Outsourcing and subcontracting agreements, Data Privacy Law

1. Subcontract of Personal Data A personal information controller may subcontract or outsource the processing of personal data: Provided, that the personal information controller shall use contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality, integrity and availability of the personal data processed, prevent its use for…

Data Breach Notification, Data Privacy Law

Data Breach Notification, Data Privacy Law

Concept “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. (IRR, Section 3[k]) Data Breach Notification Section 38. Data Breach Notification. a. The Commission and affected data subjects shall be notified by the…

Rights of Data Subjects, Data Privacy Law

Rights of Data Subjects, Data Privacy Law

7 Rights of the Data Subjects The following are the 7 rights of the data subject under the Data Privacy Law: 1) Right to be Informed, 2) Right to Object, 3) Right to Access, 4) Right to Rectification, 5) Right to Erasure or Blocking 6) Right to Damages, and 7) Right to Data Portability. Figure…

Security of sensitive personal information in Government

Security of sensitive personal information in Government

1. Responsibility of Heads of Agencies All sensitive personal information maintained by the government, its agencies, and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry, subject to these Rules and other issuances of the Commission. The head of each…

Security Measures for Protection of Personal Data, Data Privacy Law

Security Measures for Protection of Personal Data, Data Privacy Law

Responsibility of PICs and PIPs Section 25. Data Privacy and Security. Personal information controllers and personal information processors shall implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data. The personal information controller and personal information processor shall take steps to ensure that any natural person acting under their…

Lawful Processing of Personal Data, Data Privacy Law

Lawful Processing of Personal Data, Data Privacy Law

Concepts “Personal data” refers to all types of personal information. (IRR, Section 3[j], Rule I) “Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together…